I've been running freeipa-server-4.x.x.fc25.x86_64 in systemd-nspawn selinux-
wrapped full OS containers for a while.
After upgrading to F25 on the host, systemd disabled access to the KEYRING
ccache type from nspawn containers since the kernel keyring isn't namespaced.
So anything that needs
On 17/03/2017 14:01, Lukas Slebodnik wrote:
> On (17/03/17 13:52), Bob Hinton wrote:
>> On 17/03/2017 12:48, Lukas Slebodnik wrote:
>>> On (17/03/17 10:40), Bob Hinton wrote:
On 17/03/2017 08:41, Jakub Hrozek wrote:
> On Fri, Mar 17, 2017 at 06:50:34AM +, Bob Hinton wrote:
>>
Justin,
I verified that the pam.d files were as you documented, and they were the same
between the two clients. However, I forgot that I had a local user defined that
matched the account name. That was stupid of me. I removed the local user, and
now it is doing the SSS_PAM_ACCT_MGMT, so at
I've got the api integrated for all local users and am looking at if
there are any differences between that and if my ipa domain is in a
CFT with an AD domain. Right now I'm using "group_add_member", should
that work for users coming from a trusted forest as well?
Thanks
Marc Boorshtein
CTO
On 03/17/2017 11:27 AM, Kilborn, Jim wrote:
Jakub,
Thanks for the response...
I already had the selinux_provider=none in the sssd.conf
Tthe sssd.conf is identical on both clients, with the exception of ipa_hostname
[domain/ipa.mydomain.org]
selinux_provider = none
cache_credentials = True
On 03/16/2017 07:14 PM, Ian Harding wrote:
I've made some progress. But I have one zombie replication agreement to
kill, I just don't know the syntax.
The output listed below is not replication agreement. But there is
reference to RUV.
freeipa-dal.bpt.rocks does not exist. I want all
Jakub,
Thanks for the response...
I already had the selinux_provider=none in the sssd.conf
Tthe sssd.conf is identical on both clients, with the exception of ipa_hostname
[domain/ipa.mydomain.org]
selinux_provider = none
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain
On (17/03/17 13:52), Bob Hinton wrote:
>On 17/03/2017 12:48, Lukas Slebodnik wrote:
>> On (17/03/17 10:40), Bob Hinton wrote:
>>> On 17/03/2017 08:41, Jakub Hrozek wrote:
On Fri, Mar 17, 2017 at 06:50:34AM +, Bob Hinton wrote:
> Morning,
>
> We have a collection of hosts
On 17/03/2017 12:48, Lukas Slebodnik wrote:
> On (17/03/17 10:40), Bob Hinton wrote:
>> On 17/03/2017 08:41, Jakub Hrozek wrote:
>>> On Fri, Mar 17, 2017 at 06:50:34AM +, Bob Hinton wrote:
Morning,
We have a collection of hosts within prod1.local.lan. However, the
domain
On (17/03/17 10:40), Bob Hinton wrote:
>On 17/03/2017 08:41, Jakub Hrozek wrote:
>> On Fri, Mar 17, 2017 at 06:50:34AM +, Bob Hinton wrote:
>>> Morning,
>>>
>>> We have a collection of hosts within prod1.local.lan. However, the
>>> domain section of the shadow netgroups for the hosts is
>>>
On 17/03/2017 08:41, Jakub Hrozek wrote:
> On Fri, Mar 17, 2017 at 06:50:34AM +, Bob Hinton wrote:
>> Morning,
>>
>> We have a collection of hosts within prod1.local.lan. However, the
>> domain section of the shadow netgroups for the hosts is
>> mgmt.prod.local.lan. This seems to prevent sudo
On 03/17/2017 03:20 AM, Lachlan Musicman wrote:
While going through the logs on the FreeIPA server, I noticed this:
WARNING: changelog: entry cache size 2097152 B is less than db size 12804096 B;
We recommend to increase the entry cache size nsslapd-cachememsize.
I have found a number of
Hi Lachlan,
This is probably a complete hack, but the way I've changed
nsslapd-cachememsize in the past is -
On each ipa replica in turn -
1. ipactl stop
2. vim /etc/dirsrv/slapd-DOMAIN/dse.ldif- (where DOMAIN is your
server's domain/realm - not sure which) find and change the value
On Fri, Mar 17, 2017 at 06:50:34AM +, Bob Hinton wrote:
> Morning,
>
> We have a collection of hosts within prod1.local.lan. However, the
> domain section of the shadow netgroups for the hosts is
> mgmt.prod.local.lan. This seems to prevent sudo rules working on these
> hosts unless they
On Thu, Mar 16, 2017 at 08:24:42PM +, Kilborn, Jim wrote:
> Greetings,
>
> My first post to the forum.
>
> We are running centos7 with freeipa. Syncing from AD, with one linux replica.
> The ipa clients are getting installed by puppet. All the clients are
> performing fine, except one. I am
On Fri, Mar 17, 2017 at 08:35:42AM +1100, Lachlan Musicman wrote:
> Which logs do you want from the server?
NSS and domain
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Hello Ian,
You could do:
`ipa-replica-manage del freeipa-dal.bpt.rocks --force --cleanup`
Then you may need to check again for the master with `ipa-replica-manage
list`. If it's not there anymore, check whether some RUVs are still in
place with `ipa-replica-manage list-ruv`.
The last
Morning,
We have a collection of hosts within prod1.local.lan. However, the
domain section of the shadow netgroups for the hosts is
mgmt.prod.local.lan. This seems to prevent sudo rules working on these
hosts unless they specify all hosts -
-sh-4.2$ getent netgroup oepp_hosts
oepp_hosts
18 matches
Mail list logo