On Wed, 07 Oct 2015, Gronde, Christopher (Contractor) wrote:
I am new to FreeIPA and have inherited two IPA servers not sure if one
is a master/slave or how they are different. I will try to give some
pertinent outputs below of some of the things I am seeing. I know the
Server-Cert is expired b
On 07/10/15 13:36, Pat Gunn wrote:
Hi,
I'm trying to build a cluster of 3 IPA (staging at this point, but
eventually later I'll make a prod version)
systems (that will reside in AWS) that will manage select systems in our
infrastructure (mostly but not entirely in AWS).
The systems will be fronte
Janelle wrote:
> Hello,
>
> I hope this is a simply question. I have 1000's of these on my servers
> and it severely bogs them down. Any ideas on how to get rid of unindexed
> searches?
>
> [04/Oct/2015:13:27:54 -0700] conn=1344502 op=11158 RESULT err=0 tag=101
> nentries=0 etime=0 notes=U
> [04/
Hello,
I hope this is a simply question. I have 1000's of these on my servers
and it severely bogs them down. Any ideas on how to get rid of unindexed
searches?
[04/Oct/2015:13:27:54 -0700] conn=1344502 op=11158 RESULT err=0 tag=101
nentries=0 etime=0 notes=U
[04/Oct/2015:13:27:54 -0700] con
I am new to FreeIPA and have inherited two IPA servers not sure if one is a
master/slave or how they are different. I will try to give some pertinent
outputs below of some of the things I am seeing. I know the Server-Cert is
expired but can't figure out how to renew it. There also appears to
Hi,
I'm trying to build a cluster of 3 IPA (staging at this point, but
eventually later I'll make a prod version)
systems (that will reside in AWS) that will manage select systems in our
infrastructure (mostly but not entirely in AWS).
The systems will be fronted (like most of our infrastructure) w
Yes sorry I should expand on my question as per Josh's point my scenario
also has an AD trust involved.
I recently learned of KDC proxying but I am not sure if replica's and KDC
proxies are the preferred/accepted design solutions for DMZ's
Aly
On Wed, Oct 7, 2015 at 1:18 PM, Baird, Josh wrote:
I'm also interested in how people are handling this - especially when using AD
Trusts.
When using a trust, the IPA host not only has to communicate with IPA servers,
but with potentially every AD domain controller in your HUB site. For us, this
is a large number of domain controllers which mea
Hey guys,
Question for you, would having a replica be the ideal solution for
authorizing hosts in a DMZ?
Do you have any use cases for DMZ access/authorization or topologies you
can share for DMZ zones where FreeIPA is used?
Aly
--
Manage your subscription for the Freeipa-users mailing list:
ht
On 10/07/2015 05:03 PM, Dominik Korittki wrote:
Am 07.10.2015 um 15:25 schrieb thierry bordaz:
On 10/07/2015 11:19 AM, Martin Kosek wrote:
On 10/05/2015 02:13 PM, Dominik Korittki wrote:
Am 01.10.2015 um 21:52 schrieb Rob Crittenden:
Dominik Korittki wrote:
Hello folks,
I am running two
Am 07.10.2015 um 15:25 schrieb thierry bordaz:
On 10/07/2015 11:19 AM, Martin Kosek wrote:
On 10/05/2015 02:13 PM, Dominik Korittki wrote:
Am 01.10.2015 um 21:52 schrieb Rob Crittenden:
Dominik Korittki wrote:
Hello folks,
I am running two FreeIPA Servers with around 100 users and around
Łukasz Jaworski wrote:
> Hi,
>
> I have problem with setup new replicas.
> I tried setup two replicas, both failed with the same error.
>
> environment:
> Fedora 21
>
> packages:
> freeipa-server-4.1.3-2.fc21.x86_64
> 389-ds-base-1.3.3.8-1.fc21.x86_64
> 389-ds-base-libs-1.3.3.8-1.fc21.x86_64
> p
Nicola Canepa wrote:
> Hello, I'm trying to replicate a subtree of the data from FreeIPA to a
> "foreign" LDAP server, by using LSC (http://lsc-project.org).
> The replication seems to work correctly, but I was unable to create an
> user (maybe even not visible from the web GUI) which could read
>
On 10/07/2015 11:19 AM, Martin Kosek wrote:
On 10/05/2015 02:13 PM, Dominik Korittki wrote:
Am 01.10.2015 um 21:52 schrieb Rob Crittenden:
Dominik Korittki wrote:
Hello folks,
I am running two FreeIPA Servers with around 100 users and around 15.000
hosts, which are used by users to login via
On 07/10/15 12:40, Martin Basti wrote:
On 10/07/2015 01:26 PM, Alex Williams wrote:
On 07/10/15 11:31, Martin Basti wrote:
On 10/07/2015 12:28 PM, Martin Basti wrote:
On 10/07/2015 12:10 PM, Alex Williams wrote:
On 07/10/15 10:57, Martin Basti wrote:
On 10/07/2015 11:23 AM, Alex Will
On 10/07/2015 01:26 PM, Alex Williams wrote:
On 07/10/15 11:31, Martin Basti wrote:
On 10/07/2015 12:28 PM, Martin Basti wrote:
On 10/07/2015 12:10 PM, Alex Williams wrote:
On 07/10/15 10:57, Martin Basti wrote:
On 10/07/2015 11:23 AM, Alex Williams wrote:
On 07/10/15 09:53, Martin B
On 07/10/15 11:31, Martin Basti wrote:
On 10/07/2015 12:28 PM, Martin Basti wrote:
On 10/07/2015 12:10 PM, Alex Williams wrote:
On 07/10/15 10:57, Martin Basti wrote:
On 10/07/2015 11:23 AM, Alex Williams wrote:
On 07/10/15 09:53, Martin Basti wrote:
On 10/07/2015 09:49 AM, Alex Will
On Wed, Oct 07, 2015 at 12:07:08PM +0200, Guillem Liarte wrote:
> All,
>
> I have an IPA 4.1 installation that works perfectly. We just suffer from
> slow logins ( this is also slow in other operations such invoking SUDO )
>
> IPA user:
>
> 1st. login: 30 seconds
> 2nd login: 8 seconds
> 3rd lo
On 10/07/2015 12:01 PM, Martin Kosek wrote:
> On 10/06/2015 07:35 PM, Lesley Kimmel wrote:
>> Hi all;
>>
>> I'm working an initiative to centralize user accounts in Active Directory.
>> We have a large RHEL (6+) footprint and want to manage these as well. I am
>> a Red Hat Engineer on the project a
On 10/07/2015 12:28 PM, Martin Basti wrote:
On 10/07/2015 12:10 PM, Alex Williams wrote:
On 07/10/15 10:57, Martin Basti wrote:
On 10/07/2015 11:23 AM, Alex Williams wrote:
On 07/10/15 09:53, Martin Basti wrote:
On 10/07/2015 09:49 AM, Alex Williams wrote:
Hi guys,
yesterday I final
On 10/07/2015 12:10 PM, Alex Williams wrote:
On 07/10/15 10:57, Martin Basti wrote:
On 10/07/2015 11:23 AM, Alex Williams wrote:
On 07/10/15 09:53, Martin Basti wrote:
On 10/07/2015 09:49 AM, Alex Williams wrote:
Hi guys,
yesterday I finally managed to get our IPA3.0.0 servers in a sta
On 07/10/15 10:57, Martin Basti wrote:
On 10/07/2015 11:23 AM, Alex Williams wrote:
On 07/10/15 09:53, Martin Basti wrote:
On 10/07/2015 09:49 AM, Alex Williams wrote:
Hi guys,
yesterday I finally managed to get our IPA3.0.0 servers in a state
that I could upgrade the schema to dogtag 10
Hello, I'm trying to replicate a subtree of the data from FreeIPA to a
"foreign" LDAP server, by using LSC (http://lsc-project.org).
The replication seems to work correctly, but I was unable to create an
user (maybe even not visible from the web GUI) which could read
userPassword field.
Which A
All,
I have an IPA 4.1 installation that works perfectly. We just suffer from
slow logins ( this is also slow in other operations such invoking SUDO )
IPA user:
1st. login: 30 seconds
2nd login: 8 seconds
3rd login: 6.5 seconds
4rth login: 20 seconds
Local user:
Consistently under 2 seconds
On 6.10.2015 18:57, nat...@nathanpeters.com wrote:
>> Your expectation #1 is correct, but there can be multiple reasons why it
>> fails.
>>
>> Did you try to set forward policy = only as I advised you in the previous
>> e-mail? Forward policy 'first' does not make sense when split-DNS is
>> involve
On 10/06/2015 07:35 PM, Lesley Kimmel wrote:
> Hi all;
>
> I'm working an initiative to centralize user accounts in Active Directory.
> We have a large RHEL (6+) footprint and want to manage these as well. I am
> a Red Hat Engineer on the project and, while it is possible to integrate
> all of the
On 10/07/2015 11:23 AM, Alex Williams wrote:
On 07/10/15 09:53, Martin Basti wrote:
On 10/07/2015 09:49 AM, Alex Williams wrote:
Hi guys,
yesterday I finally managed to get our IPA3.0.0 servers in a state
that I could upgrade the schema to dogtag 10, using the migration
script and launch
On Wed, Oct 07, 2015 at 11:19:02AM +0200, Pavel Březina wrote:
> On 10/07/2015 10:03 AM, Jakub Hrozek wrote:
> >On Tue, Oct 06, 2015 at 06:28:14PM +0200, Karl Forner wrote:
> >>Hello,
> >>
> >>I had assumed sudo rules worked because I have an "allow_all for admins"
> >>sudo rule that seemed to work
Looks like system is missing ca cert (should it be added during
ipa-replica-install?)
I don't know if missing cert is main problem in my case, but I made some tests:
try 1:
openssl s_client -connect `hostname -f`:8443
(…)
Verify return code: 19 (self signed certificate in certificate chain)
On 07/10/15 09:53, Martin Basti wrote:
On 10/07/2015 09:49 AM, Alex Williams wrote:
Hi guys,
yesterday I finally managed to get our IPA3.0.0 servers in a state
that I could upgrade the schema to dogtag 10, using the migration
script and launched a new RHEL7.1 IPA4.1 server as a replica.
Un
On 10/07/2015 10:03 AM, Jakub Hrozek wrote:
On Tue, Oct 06, 2015 at 06:28:14PM +0200, Karl Forner wrote:
Hello,
I had assumed sudo rules worked because I have an "allow_all for admins"
sudo rule that seemed to work, but I wonder if there is an implicit rule
for the special group admins ?
Beca
On 10/05/2015 02:13 PM, Dominik Korittki wrote:
>
>
> Am 01.10.2015 um 21:52 schrieb Rob Crittenden:
>> Dominik Korittki wrote:
>>> Hello folks,
>>>
>>> I am running two FreeIPA Servers with around 100 users and around 15.000
>>> hosts, which are used by users to login via ssh. The FreeIPA server
On 10/07/2015 09:49 AM, Alex Williams wrote:
Hi guys,
yesterday I finally managed to get our IPA3.0.0 servers in a state
that I could upgrade the schema to dogtag 10, using the migration
script and launched a new RHEL7.1 IPA4.1 server as a replica.
Unfortunately, in both the new RHEL7.1 IPA
On Tue, Oct 06, 2015 at 01:48:21PM -0500, Lesley Kimmel wrote:
> Hi all;
>
> I'm working an initiative to centralize user accounts in Active Directory.
> We have a large RHEL (6+) footprint and want to manage these as well. I am
> a Red Hat Engineer on the project and, while it is possible to inte
On Tue, Oct 06, 2015 at 03:39:43PM +0200, Alexander Skwar wrote:
> Hello Sumit
>
> ipa-client-install hasn't set krb5_realm. I did that.
>
> We're using Chef-Solo to manage our systems and I have /etc/sssd/sssd.conf
> in chef. So it overwrote, whatever ipa-client-install put there. And that's
> h
Hi guys,
yesterday I finally managed to get our IPA3.0.0 servers in a state that
I could upgrade the schema to dogtag 10, using the migration script and
launched a new RHEL7.1 IPA4.1 server as a replica. Unfortunately, in
both the new RHEL7.1 IPA4.1 server AND the old RHEL6.6 IPA3.0.0 server
On Tue, Oct 06, 2015 at 06:28:14PM +0200, Karl Forner wrote:
> Hello,
>
> I had assumed sudo rules worked because I have an "allow_all for admins"
> sudo rule that seemed to work, but I wonder if there is an implicit rule
> for the special group admins ?
>
>
> Because I have tried to replicate t
On Mon, Oct 05, 2015 at 01:25:09PM +, Zoske, Fabian wrote:
> Dear Jakub,
>
> I found only the following entries in the /var/log/auth.log:
>
> Oct 5 11:57:38 hl-srv10 sudo: pam_unix(sudo:auth): conversation failed
> Oct 5 11:57:38 hl-srv10 sudo: pam_unix(sudo:auth): auth could not identify
38 matches
Mail list logo