[Freeipa-users] FreeIPA 4.1 -> 4.2 replica upgrade process

Hello! This might be trivial but I want to double check the preferred way of upgrading my ipa environment, I have 3 servers (Running Rhel 7.1, ipa 4.1), 1 acting as master with a ca (external certificate), the replicas are also ca's, they're only syncing to and from the master, unaware of

Re: [Freeipa-users] CA installation failed on server

Christian Heimes wrote: > On 2015-11-30 16:27, Rob Crittenden wrote: >> Christian Heimes wrote: >>> On 2015-11-30 12:51, Martin Basti wrote: On 28.11.2015 00:14, Rob Crittenden wrote: > Martin Štefany wrote: >> Hello, >> >> I remember experiencing this, but I'm not

Re: [Freeipa-users] CA installation failed on server

On 30.11.2015 17:45, Rob Crittenden wrote: Christian Heimes wrote: On 2015-11-30 16:27, Rob Crittenden wrote: Christian Heimes wrote: On 2015-11-30 12:51, Martin Basti wrote: On 28.11.2015 00:14, Rob Crittenden wrote: Martin Štefany wrote: Hello, I remember experiencing this, but I'm

Re: [Freeipa-users] CA installation failed on server

On 2015-11-30 17:48, Martin Basti wrote: > If I did read logs right, there was ipa-server-installed, CA > uninstallation failed and now IPA server install is failing because new > CA cannot be installed due the old instance of CA. Martin, you are right. Daniel didn't mention reinstallation in his

Re: [Freeipa-users] CA installation failed on server

Christian Heimes wrote: > On 2015-11-30 12:51, Martin Basti wrote: >> >> >> On 28.11.2015 00:14, Rob Crittenden wrote: >>> Martin Štefany wrote: Hello, I remember experiencing this, but I'm not sure of solution. I think it's related to apache (httpd) and his group. My

Re: [Freeipa-users] CA installation failed on server

On 2015-11-30 16:27, Rob Crittenden wrote: > Christian Heimes wrote: >> On 2015-11-30 12:51, Martin Basti wrote: >>> >>> >>> On 28.11.2015 00:14, Rob Crittenden wrote: Martin Štefany wrote: > Hello, > > I remember experiencing this, but I'm not sure of solution. I think it's >

Re: [Freeipa-users] Ticket transfer from host to host

Thomas Lau wrote: > Hi Rob, > > So what you are trying to say is that it's nothing to do with FreeIPA > but ssh client itself? Correct. rob > > On Mon, Nov 30, 2015 at 11:39 AM, Rob Crittenden > wrote: > > Thomas Lau wrote: > > ​Hi

Re: [Freeipa-users] CA installation failed on server

Christian Heimes wrote: > On 2015-11-30 17:48, Martin Basti wrote: >> If I did read logs right, there was ipa-server-installed, CA >> uninstallation failed and now IPA server install is failing because new >> CA cannot be installed due the old instance of CA. > > Martin, you are right. Daniel

Re: [Freeipa-users] HBAC - Limit SSH access to "test" systems

Hello Alexander ;) 2015-11-30 10:38 GMT+01:00 Alexander Bokovoy : > HBAC is enforced by SSSD over PAM. All you need to ensure is that an > application (sshd in this case) uses PAM. Then you setup HBAC rules, > disable allow_all rule, and then SSSD will verify rules on logon

Re: [Freeipa-users] FreeIPA 4.1 -> 4.2 replica upgrade process

On 30.11.2015 10:12, Andreas Calminder wrote: Hello! This might be trivial but I want to double check the preferred way of upgrading my ipa environment, I have 3 servers (Running Rhel 7.1, ipa 4.1), 1 acting as master with a ca (external certificate), the replicas are also ca's, they're

Re: [Freeipa-users] HBAC - Limit SSH access to "test" systems

On Mon, 30 Nov 2015, Alexander Skwar wrote: Hello Alexander ;) 2015-11-30 10:38 GMT+01:00 Alexander Bokovoy : HBAC is enforced by SSSD over PAM. All you need to ensure is that an application (sshd in this case) uses PAM. Then you setup HBAC rules, disable allow_all rule,

Re: [Freeipa-users] CA installation failed on server

On 28.11.2015 00:14, Rob Crittenden wrote: Martin Štefany wrote: Hello, I remember experiencing this, but I'm not sure of solution. I think it's related to apache (httpd) and his group. My notes for IPA installation on CentOS 7.x say: # groupadd -g 48 apache # yum -y install ipa-server

Re: [Freeipa-users] HBAC - Limit SSH access to "test" systems

On Mon, Nov 30, 2015 at 11:18:15AM +0100, Alexander Skwar wrote: > > Hm, okay. But when I deactivate the "allow_all" rule, doesn't that also > change the "default" behaviour? I mean, by default, everything will > be allowed for everyone on every system. No. > When I deactivate the allow_all -

[Freeipa-users] HBAC - Limit SSH access to "test" systems

Hello I'm trying to setup our FreeIPA 4.1.0 (RHEL 7) servers with Ubuntu 14.04 FreeIPA 3.3.4 clients so, that users in a user group called "customers" can only access hosts, which are in a host group called "test". Users from the user group "ops" should be able to access all systems (ie. "prod"

Re: [Freeipa-users] Problem with AD authentication after updating to 7.2 OS server

I've found the problem, using DEBUG3 into SSH service: - Nov 30 08:52:47 myserver sshd[9639]: debug1: Unspecified GSS failure. Minor code may provide more information\nClock skew too great\n Nov 30 08:52:47 myserver

Re: [Freeipa-users] HBAC - Limit SSH access to "test" systems

On Mon, 30 Nov 2015, Alexander Skwar wrote: Hello I'm trying to setup our FreeIPA 4.1.0 (RHEL 7) servers with Ubuntu 14.04 FreeIPA 3.3.4 clients so, that users in a user group called "customers" can only access hosts, which are in a host group called "test". Users from the user group "ops"

Re: [Freeipa-users] FreeIPA and LetsEncrypt Question

On Mon, 30 Nov 2015, Günther J. Niederwimmer wrote: Hello , I have the question, know any from the FreeIPA "Gurus" ;-), are the new upcoming LetsEncrypt Certificates compatible and working with FreeIPA? We have plans to support issuing certificates via Let's Encrypt. However, right now Let's

Re: [Freeipa-users] FreeIPA 4.1 -> 4.2 replica upgrade process

On 11/30/2015 01:32 PM, Andreas Calminder wrote: > Great, thanks! > I'll just go ahead and yum update then :). I would just recommend to upgrade one-by-one, to avoid replication conflicts if multiple masters add the same entries in the tree in the same time. > On 11/30/2015 11:58 AM, Martin

[Freeipa-users] FreeIPA AD password sync

I have been strugling with FreeIPA and AD password sync for a couple of days now. At first everything was working fine, but then all of a sudden the synchronization started to fail for me and another user. The error in passsync log was Ldap error in ModifyPassword > 50: Insufficient access It

[Freeipa-users] FreeIPA and LetsEncrypt Question

Hello , I have the question, know any from the FreeIPA "Gurus" ;-), are the new upcoming LetsEncrypt Certificates compatible and working with FreeIPA? Thanks for a answer, -- mit freundlichen Grüßen / best regards, Günther J. Niederwimmer -- Manage your subscription for the Freeipa-users

Re: [Freeipa-users] FreeIPA 4.1 -> 4.2 replica upgrade process

Great, thanks! I'll just go ahead and yum update then :). /andreas On 11/30/2015 11:58 AM, Martin Basti wrote: On 30.11.2015 10:12, Andreas Calminder wrote: Hello! This might be trivial but I want to double check the preferred way of upgrading my ipa environment, I have 3 servers (Running