[Freeipa-users] IPA Replication Questions
Hi, Looking at the documentation, I've found no examples of creating replication agreement with only one server. What I assume needs to be done is this: For each replica, run ipa-replica-prepare and follow the documentation. This creates replication agreements between two nodes. From there, I should use ipa-replica-manage to add replication agreements to whichever nodes I want that were not the original two. For instance: from server1 I run ipa-replica-prepare to prepare the files for server2 and server3 and then run ipa-replica-install on them with their respective files. So my replication agreements are s1 - s2 s1 - s3 After that I use ipa-replica-manage to create trust between server2 and server3. Am I right? Thank you, John -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA mail object to use in 3rd party tool
Hi Markus I can now replicate FreeIPA groups / group membership to Jira Local Directory /var/log/dirsrv/slapd-*/access showed me the queries Jira is performing to get the groups. Comparing this to the FreeIPA structure using Apache Directory Studio gave the answer. Under Group Schema Settings, change * Group Object Class from groupOfUniqueNames to groupOfNames * Group Object Filter from (objectclass=groupOfUniqueNames) to (objectclass=groupOfNames) Under Membership Schema Setting change * Group Members Attribute from uniqueMember to Member Chris From: markus@mc.ingenico.com To: Christopher Lamb/Switzerland/IBM@IBMCH, aboko...@redhat.com, mko...@redhat.com Cc: freeipa-users@redhat.com Date: 06.07.2015 08:00 Subject:AW: AW: [Freeipa-users] FreeIPA mail object to use in 3rd party tool Hi Chris, thanks for your help. Now we are able to login and have our mails delivered. Do you maybe know which configuration objects needs to be used in Jira to be able to use the FreeIPA groups? We have configured all necessary Jira Groups in FreeIPA but it doesn´t work as it should. -Ursprüngliche Nachricht- Von: Christopher Lamb [mailto:christopher.l...@ch.ibm.com] Gesendet: Mittwoch, 1. Juli 2015 09:31 An: Moj, Markus; aboko...@redhat.com; mko...@redhat.com Cc: freeipa-users@redhat.com Betreff: Re: AW: [Freeipa-users] FreeIPA mail object to use in 3rd party tool Hi Markus It is a pleasure. It was serendipity that we were working on the same problem at the same time. Your thread prompted me to take a different look at the question and find a viable solution. Let us know if it works for you. What intrigues me is: with my solution we had to change from an anonymous bind to a simple bind via user / pw to get one extra attribute: mail. This raises the question: Is there some way to configure IPA to determine which user attributes are returned to anonymous binds? Cheers Chris From:markus@mc.ingenico.com To: Christopher Lamb/Switzerland/IBM@IBMCH, aboko...@redhat.com, mko...@redhat.com Cc: freeipa-users@redhat.com Date:01.07.2015 07:54 Subject: AW: [Freeipa-users] FreeIPA mail object to use in 3rd party tool Hi Christopher, thanks very much for your help, I appreciate it. I will reconfigure our Jira and see how it works out. -Ursprüngliche Nachricht- Von: Christopher Lamb [mailto:christopher.l...@ch.ibm.com] Gesendet: Montag, 29. Juni 2015 16:08 An: Alexander Bokovoy; Moj, Markus; Martin Kosek Cc: freeipa-users@redhat.com Betreff: Re: [Freeipa-users] FreeIPA mail object to use in 3rd party tool Hi As of a few minutes ago, we can now replicate FreeIPA users to JIRA, including the vital mail attribute! Note there are probably other solutions that work as well, but this is the one that works for us. Key points: a) Integration Style: Internal Directory with LDAP Authentication -- only those users that attempt to login are replicated, useful if your JIRA users are a subset of your FreeIPA users. b) LDAP Type = Generic LDAP -- JIRA does not yet have native FreeIPA Support. c) bind = via user / password -- we first tried anonymous bind (w/o user). While this replicated users and logins worked, the all important mail attribute was not replicated. d) as the password of the bind user is stored in plaintext in the jira db, make sure this is a limited user (member of the default ipa-users group is sufficient). e.g. don't use the Directory Manager user! e) ldap.user.filter=(objectclass=inetorgperson) ensures that replies DO NOT come from the compat tree (no mail attribute). We want replies from cn=users,cn=accounts, which does have the mail attribute Below is the config direct from the Jira database (of course we made the config changes via the Jira admin GUI, which has a nifty Test function. mysql select attribute_name, attribute_value from mysql cwd_directory_attribute where directory_id = 10001; ++-+ | attribute_name | attribute_value | ++-+ | autoAddGroups | jira-users | | crowd.delegated.directory.auto.create.user | true | | crowd.delegated.directory.auto.update.user | true | | crowd.delegated.directory.importGroups | false | | crowd.delegated.directory.type | com.atlassian.crowd.directory.GenericLDAP | | ldap.basedn| dc=my,dc=silly,dc=example,dc=com| | ldap.external.id | uid | | ldap.group.description | description | | ldap.group.dn | | | ldap.group.filter |
[Freeipa-users] Trace / Debug LDAP queries from 3rd Party Tools against FreeIPA Server
Hi All Is there any way on the FreeIPA side to log / debug / trace the LDAP queries made by 3rd Party Tools against a FreeIPA Server? In another thread we are trying to solve some problems with integration of JIRA to FreeIPA. I think if I can see the exact LDAP queries JIRA is making against FreeIPA, then we will be well on the road to finding out what is going wrong / needs to be changed. I will be asking a similar question to Atlassian support for LDAP logging on the JIRA side (there I already have partial success, but am not seeing everything I want to see). Cheers Chris -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA Replication Questions
Yes. ipa-replica-manage connect s2 s3 and for CA replication: ipa-csreplica-manage connect s2 s3 Best regards, Ender Wiadomość napisana przez John Stein tde3...@gmail.com w dniu 7 lip 2015, o godz. 07:56: Hi, Looking at the documentation, I've found no examples of creating replication agreement with only one server. What I assume needs to be done is this: For each replica, run ipa-replica-prepare and follow the documentation. This creates replication agreements between two nodes. From there, I should use ipa-replica-manage to add replication agreements to whichever nodes I want that were not the original two. For instance: from server1 I run ipa-replica-prepare to prepare the files for server2 and server3 and then run ipa-replica-install on them with their respective files. So my replication agreements are s1 - s2 s1 - s3 After that I use ipa-replica-manage to create trust between server2 and server3. Am I right? Thank you, John -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] strange password error..
On Mon, Jul 06, 2015 at 02:25:56PM -0700, Janelle wrote: On 7/6/15 10:44 AM, Simo Sorce wrote: On Mon, 2015-07-06 at 10:11 -0700, Janelle wrote: Hello all, Is there any known bug that would cause: Password change failed. Server message: Current password's minimum life has not expired Here is the environment/process (7.1 with IPA 4.1.4) -- 1. reset a user's PW so they are forced to change it. 2. they login and get the Your password has expired... message 3. They are then asked to change it and enter a new PW (twice) 4. This error message pops up, BUT -- the password is still changed. If they get this using kpasswd it may happen if a re-transmission occurs, as kpasswd uses UDP, so the second request ends up with that error, I think, not 100% sure. Simo. This is very consistent - happening to all my users, and yet the IPA server load is nothing. And since it does reset the PW successfully, why would it still send this message? Can you provide the SSSD domain and pam responder log files? If you prefer feel free to send them to me by pm. Besides updating the password on the server side SSSD does other things like e.g. updating the cached password hash. Maybe the server side update works as expected but some other operation fail causing this error message. bye, Sumit Still confused, ~Janelle -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Trace / Debug LDAP queries from 3rd Party Tools against FreeIPA Server
On 07/07/15 17:39, Christopher Lamb wrote: Hi All Is there any way on the FreeIPA side to log / debug / trace the LDAP queries made by 3rd Party Tools against a FreeIPA Server? In another thread we are trying to solve some problems with integration of JIRA to FreeIPA. I think if I can see the exact LDAP queries JIRA is making against FreeIPA, then we will be well on the road to finding out what is going wrong / needs to be changed. I will be asking a similar question to Atlassian support for LDAP logging on the JIRA side (there I already have partial success, but am not seeing everything I want to see). Cheers Chris Hello, all LDAP queries are logged in this log /var/log/dirsrv/slapd-*/access -- Martin Basti -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Trace / Debug LDAP queries from 3rd Party Tools against FreeIPA Server
Rich, Martin Thanks, I saw the query Jira was performing to retrieve the groups in /var/log/dirsrv/slapd-*/access, and have been able to correctly configure Jira accordingly Chris From: Rich Megginson rmegg...@redhat.com To: freeipa-users@redhat.com Date: 07.07.2015 18:15 Subject:Re: [Freeipa-users] Trace / Debug LDAP queries from 3rd Party Tools against FreeIPA Server Sent by:freeipa-users-boun...@redhat.com On 07/07/2015 10:09 AM, Martin Basti wrote: On 07/07/15 17:39, Christopher Lamb wrote: Hi All Is there any way on the FreeIPA side to log / debug / trace the LDAP queries made by 3rd Party Tools against a FreeIPA Server? In another thread we are trying to solve some problems with integration of JIRA to FreeIPA. I think if I can see the exact LDAP queries JIRA is making against FreeIPA, then we will be well on the road to finding out what is going wrong / needs to be changed. I will be asking a similar question to Atlassian support for LDAP logging on the JIRA side (there I already have partial success, but am not seeing everything I want to see). Cheers Chris Hello, all LDAP queries are logged in this log /var/log/dirsrv/slapd-*/access If by query you mean search request, then all of the search request data is logged in the dirsrv access log. If you need details about other operations, you'll want to enable the audit log. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Userpassword randomly not working anymore.
Hi Martin, No problem I thought you guys needed a vacation but you are working on 4.2, wow sounds great! I can provide that but it will take some time as I cannot see when it happens so need to check. I might can post it tomorrow! Good luck there with the release! Cheers, Matt 2015-07-07 13:40 GMT+02:00 Martin Kosek mko...@redhat.com: On 07/05/2015 01:08 AM, Matt . wrote: Hi Guys, I created a bug where no response is on yet for a week, so I thought to ask the mailinglist if someone has seen this behaviour. Hi Matt, Sorry for the delay in the answer in Bugzilla, most of the team is now very busy with FreeIPA 4.2 finalization, so the responses are slower. In your case, I think we will need more data anyway, specifically what does it mean that The password of a user is randomly not working. If password reset is not behaving as it should, we will need full user entry *before* password reset (ipa user-show USER --all --raw), full user entry *after* password reset and password policy setting for the user (ipa pwpolicy-show). https://bugzilla.redhat.com/show_bug.cgi?id=1236322 Description of problem: The password of a user is randomly not working anymore and needs a reset of the password. The user is added as passSyncManagersDNs entry and when this user sets a password for another user the expire is set to 2035, it does the same for itself. Version-Release number of selected component (if applicable): 4.1 How reproducible: Add a user to passSyncManagersDNs like described here: https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/pass-sync.html Steps to Reproduce: 1. Add user to passSyncManagersDNs 2. Reset this user his password, login and set the same password again so ti stays the same until 2035 3. Wait for some days and try to login as this user the password is expired or damaged but still says in the GUI it expires in 2035 Actual results: The password expires it get's currupted or so ? Expected results: It should not expire until 2035! I hope someone has a clue here as I can't get anything logged about it. Thanks, Matt -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Userpassword randomly not working anymore.
On 07/05/2015 01:08 AM, Matt . wrote: Hi Guys, I created a bug where no response is on yet for a week, so I thought to ask the mailinglist if someone has seen this behaviour. Hi Matt, Sorry for the delay in the answer in Bugzilla, most of the team is now very busy with FreeIPA 4.2 finalization, so the responses are slower. In your case, I think we will need more data anyway, specifically what does it mean that The password of a user is randomly not working. If password reset is not behaving as it should, we will need full user entry *before* password reset (ipa user-show USER --all --raw), full user entry *after* password reset and password policy setting for the user (ipa pwpolicy-show). https://bugzilla.redhat.com/show_bug.cgi?id=1236322 Description of problem: The password of a user is randomly not working anymore and needs a reset of the password. The user is added as passSyncManagersDNs entry and when this user sets a password for another user the expire is set to 2035, it does the same for itself. Version-Release number of selected component (if applicable): 4.1 How reproducible: Add a user to passSyncManagersDNs like described here: https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/pass-sync.html Steps to Reproduce: 1. Add user to passSyncManagersDNs 2. Reset this user his password, login and set the same password again so ti stays the same until 2035 3. Wait for some days and try to login as this user the password is expired or damaged but still says in the GUI it expires in 2035 Actual results: The password expires it get's currupted or so ? Expected results: It should not expire until 2035! I hope someone has a clue here as I can't get anything logged about it. Thanks, Matt -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Using NTP SRV records
You need to specify '--no-ntp' on 'ipa-client-install' Josh From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of John Stein Sent: Tuesday, July 07, 2015 7:38 AM To: freeipa-users@redhat.com Subject: [Freeipa-users] Using NTP SRV records Hi, I have an IPA server installed with --no-ntp, and created SRV records _ntp._udp_.linux.john.comhttp://linux.john.com pointing to my actual NTP servers. However, when I run ipa-client-install it is configured with the IPA server as an NTP server. Am I missing something? Thanks, John -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Using NTP SRV records
Hi, I have an IPA server installed with --no-ntp, and created SRV records _ntp._udp_.linux.john.com pointing to my actual NTP servers. However, when I run ipa-client-install it is configured with the IPA server as an NTP server. Am I missing something? Thanks, John -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] What is the recommended way to create an Administrator account through the web ui?
On 07/03/2015 05:45 PM, nat...@nathanpeters.com wrote: I have been trying to create accounts in FreeIPA that have the same level of permission as the built-in administrator account. Basically, I want to do the equivalent of what you can do in Active Directory by adding someone to the Domain Administrators group. We need this because it is not an acceptable security model in our enterprise to share the built-in admin password between many administrators. Very much understandable. What is the proper way to do this? I notice that the built-in roles are DNS Administrator, IT Security Specialist, IT Specialist, Security Architect, User Administrator, and helpdesk. If I give a user all 6 of these roles will they have the equivalent level of permissions as the admin user or are there things they still won't be able to do ? If you want to have user with admin powers, all you need to do is to add the user to admins group as this is the group with the real powers. If you want to create less privileged administrators, you can use the RBAC model and create your custom roles with the chosen selection of privileges. If you want to do even more fine-grained permission control, you can even create own privileges based on the permissions, which is the lowest level of permission available in FreeIPA. More info on this topic should be in https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/defining-roles.html Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] error after change cert
barry...@gmail.com wrote: Where is it ? Could u advise ? My old cert is godady And.new cert is combro Please keep responses on the list. $ ldapsearch -LLL -x -D 'cn=directory manager' -W -b cn=RSA,cn=encryption,cn=config nsSSLPersonalitySSL If the result doesn't match the nickname of your new cert then your simplest solution is: # ipactl stop # favorite editor /etc/dirsrv/slapd-REALM/dse.ldif Find nsSSLPersonalitySSL and replace the value with the right one. # ipactl start rob 2015年7月6日 下午11:52於 Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com寫道: barry...@gmail.com mailto:barry...@gmail.com wrote: Where can i check.the config of nss? I.modified the nssdb and imported.cert successfully. should i change any ldif? I already told you in my initial reply: Check the value of nsSSLPersonalitySSL in cn=RSA,cn=encryption,cn=config. This is the NSS nickname of the server certificate to use. rob Many thks 2015年7月6日 下午11:44於 Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com mailto:rcrit...@redhat.com mailto:rcrit...@redhat.com寫道: barry...@gmail.com mailto:barry...@gmail.com mailto:barry...@gmail.com mailto:barry...@gmail.com wrote: Do u meant this : i already add the cert to nss and even \etc\ipa\ ca.cert repalced [root@(LIVE) slapd-Wwww-COM]$ certutil -d /etc/pki/nssdb -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI COMODO RSA Domain Validation Secure Server CA CT,C,C IPA CA CT,C,C COMODO RSA Certification Authority CT,C,C This has no relationship to the error you're seeing. This database is not used by either Apache or 389-ds. NSS uses nicknames to reference a given certificate. This nickname needs to exist in it's database. I'm guessing that you changed the database, and therefore the nickname in the database, without also updating the server configuration with this new nickname. rob 2015-07-06 21:39 GMT+08:00 Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com mailto:rcrit...@redhat.com mailto:rcrit...@redhat.com mailto:rcrit...@redhat.com mailto:rcrit...@redhat.com mailto:rcrit...@redhat.com mailto:rcrit...@redhat.com: barry...@gmail.com mailto:barry...@gmail.com mailto:barry...@gmail.com mailto:barry...@gmail.com mailto:barry...@gmail.com mailto:barry...@gmail.com mailto:barry...@gmail.com mailto:barry...@gmail.com wrote: the cert already in httpd / ldap side. but it prompt error [06/Jul/2015:19:59:16 +0800] - SSL failure: None of the cipher are valid [06/Jul/2015:19:59:16 +0800] - ERROR: SSL Initialization phase 2 Failed. *.wisers.com http://wisers.com http://wisers.com http://wisers.com http://wisers.com - COMODO CA Limited u,u,u COMODO RSA Domain Validation Secure Server CA CT,C,C COMODO RSA Certification Authority CT,C,C Taking a wild guess here due to limited information, but check the value of nsSSLPersonalitySSL in cn=RSA,cn=encryption,cn=config. This is the NSS nickname of the server certificate to use. rob 2015-07-06 20:01 GMT+08:00 barry...@gmail.com mailto:barry...@gmail.com mailto:barry...@gmail.com mailto:barry...@gmail.com mailto:barry...@gmail.com mailto:barry...@gmail.com mailto:barry...@gmail.com mailto:barry...@gmail.com mailto:barry...@gmail.com mailto:barry...@gmail.com mailto:barry...@gmail.com mailto:barry...@gmail.com mailto:barry...@gmail.com mailto:barry...@gmail.com mailto:barry...@gmail.com mailto:barry...@gmail.com: hi: i changed cert lareadty but seemit still keep hisoty of godadday any help.?? www-COM...[06/Jul/2015:19:59:15 +0800] - SSL alert: Security Initialization: Can't find certificate (*.wwwcom - GoDaddy.com, Inc.) for family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8174 - security library: bad database.) [06/Jul/2015:19:59:15 +0800] - SSL alert: Security Initialization: Unable to retrieve private key for cert *.www.com http://www.com http://www.com http://www.com http://www.com - GoDaddy.com, Inc. of family
Re: [Freeipa-users] IPA replica without CA, how to become CA
Hi Rob, OK, I had difficulties with that and try it. What I actually did is: Turned off IPA1 (to act it like a dead one) and removed it from ipa2. Now when I install a new replica with ipa2 as it's master/source I get complains there is no CA. So my ipa2 needs to become ca in some way. I need to check but I thought I did what you said which didn't work... I need to debug it an report you this evening. Thanks, Matt 2015-07-06 17:54 GMT+02:00 Rob Crittenden rcrit...@redhat.com: Matt . wrote: Hi All, I'm cleaning up and playing around with some old dev setups and reviewing these tests. This is a replica setup but the replica is no CA. Now I'm testing out how to manage cluster when I remove the ipa1 (CA) and create a new replica with CA from the ipa2. IPA2 should become CA and out of that I can setup a replica again. What is my best approach to test this ? Hard to say given I have no insight into your topology, but to add a CA post-install use ipa-ca-install replica-file rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Using NTP SRV records
Thank you (both of you) John On Tue, Jul 7, 2015 at 2:42 PM Baird, Josh jba...@follett.com wrote: You need to specify '--no-ntp' on 'ipa-client-install' Josh *From:* freeipa-users-boun...@redhat.com [mailto: freeipa-users-boun...@redhat.com] *On Behalf Of *John Stein *Sent:* Tuesday, July 07, 2015 7:38 AM *To:* freeipa-users@redhat.com *Subject:* [Freeipa-users] Using NTP SRV records Hi, I have an IPA server installed with --no-ntp, and created SRV records _ntp._udp_.linux.john.com pointing to my actual NTP servers. However, when I run ipa-client-install it is configured with the IPA server as an NTP server. Am I missing something? Thanks, John -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA Replication Questions
Thanks for the reply. Maybe this should be added to the documentation? John On Tue, Jul 7, 2015 at 11:02 AM Łukasz Jaworski en...@kofeina.net wrote: Yes. ipa-replica-manage connect s2 s3 and for CA replication: ipa-csreplica-manage connect s2 s3 Best regards, Ender Wiadomość napisana przez John Stein tde3...@gmail.com w dniu 7 lip 2015, o godz. 07:56: Hi, Looking at the documentation, I've found no examples of creating replication agreement with only one server. What I assume needs to be done is this: For each replica, run ipa-replica-prepare and follow the documentation. This creates replication agreements between two nodes. From there, I should use ipa-replica-manage to add replication agreements to whichever nodes I want that were not the original two. For instance: from server1 I run ipa-replica-prepare to prepare the files for server2 and server3 and then run ipa-replica-install on them with their respective files. So my replication agreements are s1 - s2 s1 - s3 After that I use ipa-replica-manage to create trust between server2 and server3. Am I right? Thank you, John -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Using NTP SRV records
On Tue, Jul 07, 2015 at 11:37:39AM +, John Stein wrote: Hi, I have an IPA server installed with --no-ntp, and created SRV records _ntp._udp_.linux.john.com pointing to my actual NTP servers. However, when I run ipa-client-install it is configured with the IPA server as an NTP server. Am I missing something? I believe you might be hitting bug https://fedorahosted.org/freeipa/ticket/4981 The fix will go out with 4.2 release. -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project