Re: [Freeipa-users] migrate-ds aborts

On 01/15/2015 06:31 PM, Quayle, Bill wrote: I am migrating an openLDAP tree into ipa, and when I run ipa migrate-ds, the migration aborts after roughly 36 seconds with: ipa: ERROR: cannot connect to 'ldap://10.x.x.x:389’: It has transferred 9762 records, but seems to hit a timeout that causes i

Re: [Freeipa-users] DNS Design for FreeIPA4

Hi, KISS keep it simple and stupid. What we do is, AD domain is domain.com and does all its own DNS and Kerberos, all windows machines point at it etc IPA domain is ipa.domain.com and all IPA's and indeed all Linux servers point at IPA for everything incl NTP. IPA servers use the AD server

Re: [Freeipa-users] DNS Design for FreeIPA4

William, I don't understand why I would have problems if AD DNS can resolve IPA dns, and IPA DNS can resolve AD DNS? The DNS servers that my servers are using can resolve both AD and IPA. Thanks, Josh > -Original Message- > From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-

Re: [Freeipa-users] DNS Design for FreeIPA4

‎Josh, You will have problems if you go with below plan in my opinion. I used arrangements like the one you listed below when I used freeipa 2.2. This worked for me only when I had users hosted on freeipa. After upgrading to 3.3 for trust, it became very unreliable and had to point the ipa clie

[Freeipa-users] DNS Design for FreeIPA4

Hi, We are currently piloting FreeIPA4 (RHEL 7.1 IdM) in our environment. We plan on establishing a trust with AD at some point during the POC. An overview of the current DNS design: * FreeIPA runs integrated DNS (ie, ipa.domain.com) * Servers in our environment (even once joined to IPA) cont

[Freeipa-users] migrate-ds aborts

I am migrating an openLDAP tree into ipa, and when I run ipa migrate-ds, the migration aborts after roughly 36 seconds with: ipa: ERROR: cannot connect to 'ldap://10.x.x.x:389': It has transferred 9762 records, but seems to hit a timeout that causes it to stop. I've run it in debug mode, which

Re: [Freeipa-users] FreeIPA and RADIUS

On 01/15/2015 11:02 AM, Brian Topping wrote: +1 for a FreeRADIUS integration. I'd use it to feed the VPN AAA (Vyatta). As it's a very sensitive piece, it would be ideal if all the best practices were packaged up and known to be there on deployment. Can you please formulate requirements and u

Re: [Freeipa-users] Problems with ntpd when running FreeIPA in a Docker container

On 01/15/2015 09:41 AM, Jan Pazdziora wrote: > On Thu, Jan 15, 2015 at 08:56:29AM -0800, Nathan Kinder wrote: >> >>> Even if you do that, SELinux will likely prevent ntpd doing its job >>> but at least it will stay around so that the client can connect to it. >>> >>> What is interesting though is

Re: [Freeipa-users] Problems with ntpd when running FreeIPA in a Docker container

On Thu, Jan 15, 2015 at 08:56:29AM -0800, Nathan Kinder wrote: > > > Even if you do that, SELinux will likely prevent ntpd doing its job > > but at least it will stay around so that the client can connect to it. > > > > What is interesting though is the fact that the client hangs > > indefinitely

Re: [Freeipa-users] Problems with ntpd when running FreeIPA in a Docker container

On 01/15/2015 08:56 AM, Nathan Kinder wrote: > > > On 01/15/2015 12:01 AM, Jan Pazdziora wrote: ... >> You need to use --cap-add=SYS_TIME when running the server container >> or ntpd will fail. > > Thanks for the tip. This works. It would be handy to add this to the > README for your freei

Re: [Freeipa-users] FreeIPA for Debian Wheezy, Ubuntu 12.04

On 01/15/2015 03:34 AM, Sina Owolabi wrote: > Hi List > > Please is it really possible to have Debian and Ubuntu serve as IPA > clients? > I've tried some instructions/guidelines on the list and they always > fail with the IPA client install being halfway completed and sssd's > configuration file

Re: [Freeipa-users] Problems with ntpd when running FreeIPA in a Docker container

On 01/15/2015 12:01 AM, Jan Pazdziora wrote: > On Wed, Jan 14, 2015 at 08:18:02PM -0800, Nathan Kinder wrote: >> Hi, >> >> I'm running into a strange problem related to ntpd when trying to use >> IPA in a container. I'm using the adelton/freeipa-server:fedora-21 and >> adelton/freeipa-client:fed

Re: [Freeipa-users] Promoting ipa 4.1 on Centos 7 replica to master

Hello Rob, Thank you for the quick reply, I will give it a go, I wasn't sure if the links would work since most the of configuration for the dogtag in centos7 is different and commands like: "getcert list -d /var/lib/pki-ca/alias -n "subsystemCert cert-pki-ca" | grep post-save" Do not apply,

Re: [Freeipa-users] Promoting ipa 4.1 on Centos 7 replica to master

Rui Gomes wrote: > Hello Guys, > > I been seeing planting of email about promoting replicas to masters but does > articles do not seem to apply to ipa 4.1/centos 7 combo. > > I had a ipa 3.0 master on centos 6.4 that died recently(I can still access > the file system), and I would like to pro

Re: [Freeipa-users] FreeIPA and RADIUS

+1 for a FreeRADIUS integration. I'd use it to feed the VPN AAA (Vyatta). As it's a very sensitive piece, it would be ideal if all the best practices were packaged up and known to be there on deployment. > On Jan 15, 2015, at 10:49 PM, Dmitri Pal wrote: > > On 01/15/2015 08:16 AM, Chris Card

[Freeipa-users] Promoting ipa 4.1 on Centos 7 replica to master

Hello Guys, I been seeing planting of email about promoting replicas to masters but does articles do not seem to apply to ipa 4.1/centos 7 combo. I had a ipa 3.0 master on centos 6.4 that died recently(I can still access the file system), and I would like to promote my 4.1 replica to the mast

Re: [Freeipa-users] FreeIPA and RADIUS

On 01/15/2015 08:16 AM, Chris Card wrote: what's the current status of IPA integration with FreeRADIUS? This email from 2011, https://www.redhat.com/archives/freeipa-users/2011-October/msg00026.html, says "Integrating FreeRADIUS with IPA is on the long term roadmap." Is that still the case?

Re: [Freeipa-users] I think I trashed my FreeIPA CA - how to recover?

On Thu, Jan 15, 2015 at 3:26 AM, Jan Cholasta wrote: > Hi, > > Dne 14.1.2015 v 14:54 Brian Topping napsal(a): > >> Hi Martin, thanks for your response! >> >> What I realize now is the certificate CRL points to the server that no longer exists and I'd like to get that cleaned up. I found >>>

Re: [Freeipa-users] FreeIPA for Debian Wheezy, Ubuntu 12.04

On 15.01.2015 11:54, Petr Spacek wrote: > On 15.1.2015 09:36, Lukas Slebodnik wrote: >> Hi List >> >> Please is it really possible to have Debian and Ubuntu serve as IPA >> clients? >> I've tried some instructions/guidelines on the list and they always fail >> with the IPA

[Freeipa-users] FreeIPA and RADIUS

what's the current status of IPA integration with FreeRADIUS?  This email from 2011,  https://www.redhat.com/archives/freeipa-users/2011-October/msg00026.html, says "Integrating FreeRADIUS with IPA is on the long term roadmap." Is that still the case? Chris

Re: [Freeipa-users] FreeIPA for Debian Wheezy, Ubuntu 12.04

On 15.1.2015 11:04, Lukas Slebodnik wrote: > On (15/01/15 10:54), Petr Spacek wrote: >> On 15.1.2015 09:36, Lukas Slebodnik wrote: >>> Hi List >>> >>> Please is it really possible to have Debian and Ubuntu serve as IPA >>> clients? >>> I've tried some instructions/guidelines on

Re: [Freeipa-users] FreeIPA for Debian Wheezy, Ubuntu 12.04

On (15/01/15 10:54), Petr Spacek wrote: >On 15.1.2015 09:36, Lukas Slebodnik wrote: >> Hi List >> >> Please is it really possible to have Debian and Ubuntu serve as IPA >> clients? >> I've tried some instructions/guidelines on the list and they always fail >> with th

Re: [Freeipa-users] FreeIPA for Debian Wheezy, Ubuntu 12.04

On 15.1.2015 09:36, Lukas Slebodnik wrote: >>> >> Hi List >>> >> >>> >> Please is it really possible to have Debian and Ubuntu serve as IPA >>> >> clients? >>> >> I've tried some instructions/guidelines on the list and they always fail >>> >> with the IPA client install being halfway completed an

Re: [Freeipa-users] FreeIPA 4.1, OSX 10.9 and secondary groups

On 01/14/2015 07:34 PM, Dmitri Pal wrote: > On 01/14/2015 01:11 PM, Ejner Fergo wrote: >> Hola, >> >> This is a response to: >> https://www.redhat.com/archives/freeipa-users/2014-October/msg00126.html >> >> Scott, maybe you already found the solution, but I've been banging my head >> with the same

Re: [Freeipa-users] FreeIPA for Debian Wheezy, Ubuntu 12.04

On (15/01/15 09:17), Petr Spacek wrote: >On 15.1.2015 03:34, Sina Owolabi wrote: >> Hi List >> >> Please is it really possible to have Debian and Ubuntu serve as IPA clients? >> I've tried some instructions/guidelines on the list and they always fail >> with the IPA client install being halfway co

Re: [Freeipa-users] I think I trashed my FreeIPA CA - how to recover?

Hi, Dne 14.1.2015 v 14:54 Brian Topping napsal(a): Hi Martin, thanks for your response! What I realize now is the certificate CRL points to the server that no longer exists and I'd like to get that cleaned up. I found http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master

Re: [Freeipa-users] Problems with ntpd when running FreeIPA in a Docker container

On Thu, Jan 15, 2015 at 09:06:54AM +0100, Lukas Slebodnik wrote: > >> > >> I'm continuing to debug this, but I thought I'd share my findings thus > >> far in case anyone else has seen this or has any ideas for tracking the > >> problem down. Any ideas? > > > >You need to use --cap-add=SYS_TIME wh

Re: [Freeipa-users] FreeIPA for Debian Wheezy, Ubuntu 12.04

On 15.1.2015 03:34, Sina Owolabi wrote: > Hi List > > Please is it really possible to have Debian and Ubuntu serve as IPA clients? > I've tried some instructions/guidelines on the list and they always fail > with the IPA client install being halfway completed and sssd's > configuration file moved

Re: [Freeipa-users] IPA trust integration in AD Forests that been upgraded to higher functional level

Sorry for the late response. I can confirm that with 3.3.3-28.el7_0.3, i'm able to fetch the sub-domains and to log with its users. Thank you ! 2015-01-04 10:17 GMT+02:00 Alexander Bokovoy : > > > -- > > Hello all. > > I'm working on integrating AD trust feature in th

Re: [Freeipa-users] Problems with ntpd when running FreeIPA in a Docker container

On (15/01/15 09:01), Jan Pazdziora wrote: >On Wed, Jan 14, 2015 at 08:18:02PM -0800, Nathan Kinder wrote: >> Hi, >> >> I'm running into a strange problem related to ntpd when trying to use >> IPA in a container. I'm using the adelton/freeipa-server:fedora-21 and >> adelton/freeipa-client:fedora-2

Re: [Freeipa-users] Problems with ntpd when running FreeIPA in a Docker container

On Wed, Jan 14, 2015 at 08:18:02PM -0800, Nathan Kinder wrote: > Hi, > > I'm running into a strange problem related to ntpd when trying to use > IPA in a container. I'm using the adelton/freeipa-server:fedora-21 and > adelton/freeipa-client:fedora-21 docker images. Basically, the client > instal