Re: [Freeipa-users] migration 3.3-4.1 CA change

2014-10-23 Thread Petr Spacek
On 22.10.2014 22:06, William Graboyes wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hello List, So the whole not being able to change the CA easily is becoming a regular point of contention in meetings. If I have read the e-mails on this list correctly this issue is fixed in 4.1.

Re: [Freeipa-users] migration 3.3-4.1 CA change

2014-10-23 Thread Jan Cholasta
Hi, Dne 23.10.2014 v 08:47 Petr Spacek napsal(a): On 22.10.2014 22:06, William Graboyes wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hello List, So the whole not being able to change the CA easily is becoming a regular point of contention in meetings. If I have read the e-mails on

Re: [Freeipa-users] A crazy idea maybe, migration to Free-IPA 4.1.

2014-10-23 Thread Orkhan Gasimov
I already deployed FreeIPA 4.1 on Fedora 21 server alpha-release. Everything is good as far as FreeIPA server operation is concerned. 23-Oct-14 01:06, William Graboyes пишет: 3) am I insane for wanting to introduce FC21 into my environment? -- Manage your subscription for the Freeipa-users

Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server

2014-10-23 Thread Lukas Slebodnik
On (23/10/14 11:27), Outback Dingo wrote: On Thu, Oct 23, 2014 at 11:20 AM, Fraser Tweedale ftwee...@redhat.com wrote: On Wed, Oct 22, 2014 at 03:23:56PM +0200, Lukas Slebodnik wrote: On (22/10/14 17:10), Fraser Tweedale wrote: Further to my earlier email, I have written a blog post about

Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server

2014-10-23 Thread Орхан Касумов
+1. And even if talking about installation of the necessary software and not about the configuration, then why this? The commands to enable the custom repository and install the required packages on a FreeBSD host appear below. Note that these are  Bourne  shell commands; this script will not

[Freeipa-users] Announcing FreeIPA 4.1.0

2014-10-23 Thread Petr Vobornik
The FreeIPA team is proud to announce FreeIPA v4.1.0! It can be downloaded from http://www.freeipa.org/page/Downloads. The builds will be available for Fedora 21. Builds for Fedora 20 are available in the official COPR repository [https://copr.fedoraproject.org/coprs/mkosek/freeipa/]. ==

Re: [Freeipa-users] A crazy idea maybe, migration to Free-IPA 4.1.

2014-10-23 Thread Orkhan Gasimov
Yet with FreeIPA v4 we've got another thing to keep in mind regarding FreeBSD - FreeIPA integration: the cron script proposed at FreeBSD forums won't work. Here's what was said in the post: The tricky part was gettingsudoto work with host groups. FreeIPA keeps host groups in netgroups, and

[Freeipa-users] FreeIPA 3.3.3 and sssd segfault

2014-10-23 Thread crony
Hi, I have a FreeIPA 3.3.3 in transitive trust with AD2008. Today I saw a lot of sssd segfaults on the server side: [ 420.412011] sssd_be[734]: segfault at 8 ip 7fa54fa73334 sp 7fff62b2ec40 error 4 in libldb.so.1.1.16[7fa54fa66000+2c000] [ 421.763035] sssd_be[2666]: segfault at 8 ip

[Freeipa-users] IPA 3.3.3 in transitive trust and random group assignment

2014-10-23 Thread crony
Hi List, On IPA server I added one external group for AD group. When I log in to IPA client I can see that group: 97687(trustlinuxgroup_from_ad2posix) but also I see few different groups came directly from Active Directory like 127310615(trustlinuxgr...@acme.example.com) or

Re: [Freeipa-users] Woes adding a samba server to the ipa domain

2014-10-23 Thread Sumit Bose
On Tue, Oct 21, 2014 at 07:49:11AM -0430, Loris Santamaria wrote: El lun, 20-10-2014 a las 21:19 -0400, Dmitri Pal escribió: On 10/20/2014 09:15 AM, Loris Santamaria wrote: [...] Trying to join the server to the domain (net rpc join -U domainadmin -S ipaserver) fails, and it

Re: [Freeipa-users] FreeIPA 3.3.3 and sssd segfault

2014-10-23 Thread Lukas Slebodnik
On (23/10/14 12:23), crony wrote: Hi, I have a FreeIPA 3.3.3 in transitive trust with AD2008. Today I saw a lot of sssd segfaults on the server side: [ 420.412011] sssd_be[734]: segfault at 8 ip 7fa54fa73334 sp 7fff62b2ec40 error 4 in libldb.so.1.1.16[7fa54fa66000+2c000] Could you

Re: [Freeipa-users] FreeIPA 3.3.3 and sssd segfault

2014-10-23 Thread crony
Already sent directly to your email. /lm 2014-10-23 13:45 GMT+02:00 Lukas Slebodnik lsleb...@redhat.com: On (23/10/14 12:23), crony wrote: Hi, I have a FreeIPA 3.3.3 in transitive trust with AD2008. Today I saw a lot of sssd segfaults on the server side: [ 420.412011] sssd_be[734]:

Re: [Freeipa-users] Attempting to re-provision previous replica

2014-10-23 Thread John Desantis
Rob and Rich, ipa-replica-manage del should have cleaned things up. You can clear out old RUVs with ipa-replica-manage too via list-ruv and clean-ruv. You use list-ruv to get the id# to clean and clean-ruv to do the actual cleaning. I remember having previously tried this task, but it had

Re: [Freeipa-users] A crazy idea maybe, migration to Free-IPA 4.1.

2014-10-23 Thread Orkhan Gasimov
And another interesting behaviour. Say a user netuser is a member of a user group netstaff, and a host bsd.example.com is a member of a host group nethosts. We then create an HBAC rule netstaff_to_nethosts: Who: User Groups - netstaff -- Accessing: Host Groups - nethosts -- Via Service:

Re: [Freeipa-users] Attempting to re-provision previous replica

2014-10-23 Thread Rich Megginson
On 10/23/2014 07:01 AM, John Desantis wrote: Rob and Rich, ipa-replica-manage del should have cleaned things up. You can clear out old RUVs with ipa-replica-manage too via list-ruv and clean-ruv. You use list-ruv to get the id# to clean and clean-ruv to do the actual cleaning. I remember

[Freeipa-users] IPA+AD (transitive trust) - s2n exop request failed

2014-10-23 Thread crony
Hi All, I've found another problem with my setup: What could be the reason of such errors on FreeIPA client side: /var/log/sssd/sssd_linux.acme.example.com.log:(Thu Oct 23 09:49:23 2014) [sssd[be[linux.acme.example.com]]] [ipa_s2n_get_user_done] (0x0040): s2n exop request failed.

Re: [Freeipa-users] IPA+AD (transitive trust) - s2n exop request failed

2014-10-23 Thread Sumit Bose
On Thu, Oct 23, 2014 at 03:47:31PM +0200, crony wrote: Hi All, I've found another problem with my setup: What could be the reason of such errors on FreeIPA client side: /var/log/sssd/sssd_linux.acme.example.com.log:(Thu Oct 23 09:49:23 2014) [sssd[be[linux.acme.example.com]]]

Re: [Freeipa-users] IPA+AD (transitive trust) - s2n exop request failed

2014-10-23 Thread Alexander Bokovoy
On Thu, 23 Oct 2014, crony wrote: Hi All, I've found another problem with my setup: What could be the reason of such errors on FreeIPA client side: You need to check sssd logs on IPA master side. IPA 3.3.3 + RHEL7 and IPA clients: RHEL 6.4 and RHEL 6.6 - the same situation. There were some

Re: [Freeipa-users] IPA+AD (transitive trust) - s2n exop request failed

2014-10-23 Thread crony
Probable yes. 2014-10-23 15:59 GMT+02:00 Sumit Bose sb...@redhat.com: On Thu, Oct 23, 2014 at 03:47:31PM +0200, crony wrote: Hi All, I've found another problem with my setup: What could be the reason of such errors on FreeIPA client side:

Re: [Freeipa-users] IPA 3.3.3 in transitive trust and random group assignment

2014-10-23 Thread Alexander Bokovoy
On Thu, 23 Oct 2014, crony wrote: Hi List, On IPA server I added one external group for AD group. When I log in to IPA client I can see that group: 97687(trustlinuxgroup_from_ad2posix) but also I see few different groups came directly from Active Directory like

Re: [Freeipa-users] FreeIPA 3.3.3 and sssd segfault

2014-10-23 Thread Lukas Slebodnik
On (23/10/14 14:44), crony wrote: Already sent directly to your email. Thank you for coredump. It is a known bug (https://fedorahosted.org/sssd/ticket/2391) Bug is fixed in sssd upstream sh$ git tag --contains 895f045dd4aad7f5857826cc1496cfa048a790dd sssd-1_11_7 sh$ git tag --contains

Re: [Freeipa-users] FreeIPA 3.3.3 and sssd segfault

2014-10-23 Thread crony
yes, sure, it would be great to see if it works in upstream version. thank you 2014-10-23 16:10 GMT+02:00 Lukas Slebodnik lsleb...@redhat.com: On (23/10/14 14:44), crony wrote: Already sent directly to your email. Thank you for coredump. It is a known bug

Re: [Freeipa-users] FreeIPA 3.3.3 and sssd segfault

2014-10-23 Thread Lukas Slebodnik
On (23/10/14 16:31), crony wrote: yes, sure, it would be great to see if it works in upstream version. thank you Here you are https://copr.fedoraproject.org/coprs/lslebodn/sssd-1-11/ LS -- Manage your subscription for the Freeipa-users mailing list:

[Freeipa-users] Announcing FreeIPA 4.0.4

2014-10-23 Thread Petr Vobornik
The FreeIPA team would like to announce FreeIPA v4.0.4 bugfix release! It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora 21 are available in the official COPR repository [https://copr.fedoraproject.org/coprs/mkosek/freeipa-4.0/]. == Highlights in 4.0.4 == ===

[Freeipa-users] Synchronization Agreements between FreeIPA and AD

2014-10-23 Thread Сапегин Валерий
Hello! I tryed to configure synchronization between FreeIPA and Windows AD 2012. In the thirst time accounts from AD synchronization properly but next schedule after 5 min is not work and in error log I see the following errors: # tail -f /var/log/dirsrv/slapd-TEST-CSBI-ITS-RU/errors

[Freeipa-users] Recovering from messed-up certs

2014-10-23 Thread Eric McCoy
Hi all, I somehow destroyed my primary IPA server's Server-Cert in /etc/httpd/alias. I don't understand how or why it happened, all I know is that I went to restart Apache and it was gone. Apache won't start, of course, because the cert is missing. I can't issue a new cert on the primary

Re: [Freeipa-users] FreeIPA 3.3.3 and sssd segfault

2014-10-23 Thread crony
Thank you! Error: Package: sssd-client-1.11.7-2.el7.centos.x86_64 (lslebodn-sssd-1-11) Requires: libc.so.6(GLIBC_2.14)(64bit) Error: Package: python-sssdconfig-1.11.7-2.el7.centos.noarch (lslebodn-sssd-1-11) Requires: python(abi) = 2.7 Installed:

Re: [Freeipa-users] A crazy idea maybe, migration to Free-IPA 4.1.

2014-10-23 Thread Орхан Касумов
Alright then, thanks for info! Tomorrow is the deadline for my researches on FreeIPA. Then I have to start deploying a centralized management solution in our production environment. Please help me to make a final decision on which version of FreeIPA to choose - 3.3 or 4.1? I'd like to have all

Re: [Freeipa-users] FreeIPA 3.3.3 and sssd segfault

2014-10-23 Thread Lukas Slebodnik
On (23/10/14 18:12), crony wrote: Thank you! I prepared repo for epel6, epel7 and fedora 19 Error: Package: sssd-client-1.11.7-2.el7.centos.x86_64 (lslebodn-sssd-1-11) Requires: libc.so.6(GLIBC_2.14)(64bit) Error: Package: python-sssdconfig-1.11.7-2.el7.centos.noarch

Re: [Freeipa-users] A crazy idea maybe, migration to Free-IPA 4.1.

2014-10-23 Thread Alexander Bokovoy
On Thu, 23 Oct 2014, Орхан Касумов wrote: Alright then, thanks for info! Tomorrow is the deadline for my researches on FreeIPA. Then I have to start deploying a centralized management solution in our production environment. Please help me to make a final decision on which version of FreeIPA to

Re: [Freeipa-users] Recovering from messed-up certs

2014-10-23 Thread Rob Crittenden
Eric McCoy wrote: Hi all, I somehow destroyed my primary IPA server's Server-Cert in /etc/httpd/alias. I don't understand how or why it happened, all I know is that I went to restart Apache and it was gone. Apache won't start, of course, because the cert is missing. I can't issue a new

Re: [Freeipa-users] Synchronization Agreements between FreeIPA and AD

2014-10-23 Thread Rich Megginson
On 10/23/2014 10:26 AM, Dmitri Pal wrote: On 10/23/2014 08:19 AM, Сапегин Валерий wrote: Hello! I tryed to configure synchronization between FreeIPA and Windows AD 2012. In the thirst time accounts from AD synchronization properly but next schedule after 5 min is not work and in error log I

Re: [Freeipa-users] A crazy idea maybe, migration to Free-IPA 4.1.

2014-10-23 Thread Orkhan Gasimov
Very interesting! You're right, I used simple  ldapsearch -x command on the client when browsing the LDAP database. With IPA 3.3 it returned a whole lot of info about hostgroups, but with IPA 4.1 - only a single string 'cn=ng,cn=compat,$SUFFIX'. That's why current script didn't work. Tomorrow

Re: [Freeipa-users] FreeIPA 3.3.3 and sssd segfault

2014-10-23 Thread crony
Oh, sorry Lukas, now its my mistake + tiredness.. I was testing on the wrong machine.Thank you. /lm 2014-10-23 18:30 GMT+02:00 Lukas Slebodnik lsleb...@redhat.com: On (23/10/14 18:12), crony wrote: Thank you! I prepared repo for epel6, epel7 and fedora 19 Error: Package:

Re: [Freeipa-users] Recovering from messed-up certs

2014-10-23 Thread Eric McCoy
Some nicknames changed to protect the innocent. The puppetmaster/hostname cert is nominally unrelated, though its creation was contemporaneous with the disappearance of server-cert so I can't entirely rule it out. Certificate Nickname Trust Attributes

Re: [Freeipa-users] Recovering from messed-up certs

2014-10-23 Thread Rob Crittenden
Eric McCoy wrote: Some nicknames changed to protect the innocent. The puppetmaster/hostname cert is nominally unrelated, though its creation was contemporaneous with the disappearance of server-cert so I can't entirely rule it out. Certificate Nickname

[Freeipa-users] Inconsistent group memberships in sssd

2014-10-23 Thread Michael Lasevich
FreeIPA 4.0.3 server with SSSD 1.9.2 on CentOS6 Seems that group membership is completely inconsistent Running id in shell as my user on: * ipa server - I am a member of 2 groups * Server that just came up and joined - 1 group * Server that has been up for some time - 5 groups Via UI:

Re: [Freeipa-users] Inconsistent group memberships in sssd

2014-10-23 Thread Michael Lasevich
Small update, it appears that once I run getent group groupname - my user shows up in the group groupname. Odd. (and yes, I have ran sss_cache -UG many a time) -M On Thu, Oct 23, 2014 at 5:15 PM, Michael Lasevich mlasev...@gmail.com wrote: FreeIPA 4.0.3 server with SSSD 1.9.2 on CentOS6

Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server

2014-10-23 Thread Fraser Tweedale
On Thu, Oct 23, 2014 at 02:12:47PM +0400, Орхан Касумов wrote: +1. And even if talking about installation of the necessary software and not about the configuration, then why this? The commands to enable the custom repository and install the required packages on a FreeBSD host appear

Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server

2014-10-23 Thread Fraser Tweedale
On Thu, Oct 23, 2014 at 09:58:33AM +0200, Lukas Slebodnik wrote: On (23/10/14 11:27), Outback Dingo wrote: On Thu, Oct 23, 2014 at 11:20 AM, Fraser Tweedale ftwee...@redhat.com wrote: On Wed, Oct 22, 2014 at 03:23:56PM +0200, Lukas Slebodnik wrote: On (22/10/14 17:10), Fraser Tweedale

[Freeipa-users] Third party SSL certificate renewal

2014-10-23 Thread Dragan Prostran
Hello, This is my first time posting to this list, so if I've made a faux pas or mistake, please do correct me. Can anyone please point me to the correct method to renewing 3rd party SSL certificates used by FreeIPA 3.0? I suspect I've not done this correctly. Here is what has worked correctly

Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server

2014-10-23 Thread Orkhan Gasimov
You could ease everything by creating 2 files: FreeIPA.conf and FreeIPA.pem, uploading them to Web and sharing links to them. FreeBSD users could the use the fetch command to download and use your files. Отправлено от Blue Mail На 5:36, 24.10.2014, в 5:36, Fraser Tweedale ftwee...@redhat.com

Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server

2014-10-23 Thread Fraser Tweedale
On Fri, Oct 24, 2014 at 07:42:31AM +0500, Orkhan Gasimov wrote: You could ease everything by creating 2 files: FreeIPA.conf and FreeIPA.pem, uploading them to Web and sharing links to them. FreeBSD users could the use the fetch command to download and use your files. I turned it into a shell

[Freeipa-users] Errors upgrading 4.0.1 to 4.1

2014-10-23 Thread Michael Lasevich
While upgrading from 4.0.1. to 4.1 on fedora 20 got following on one of the two boxes: Upgrade failed with attribute allowWeakCipher not allowed IPA upgrade failed. Unexpected error DuplicateEntry: This entry already exists It seems the ipa no longer starts up after this. The replica server