[Freeipa-users] KRA Cannot Authenticate with LDAP After Replication

2017-04-12 Thread Ilya Kogan
Hi, I’m wondering if anyone might be able to help me figure out why my KRA is failing after a fairly recent installation. It's throwing exceptions about LDAP authentication that look like the following (note, I’ve truncated some of the stacks for brevity: Apr 12 21:14:22 server[7515]: Could

[Freeipa-users] DM Password Change & Password Storage

2017-04-12 Thread Jeremy Utley
Hello all! We've got 2 replicated instances of FreeIPA 4.4.0 from the EPEL repository running on fully-updated CentOS 7 instances. We're going thru an audit right now, and I have to provide some proof of certain things related to IPA to our auditors. Unfortunately, the person who originally set

[Freeipa-users] User policies

2017-04-12 Thread Michael Rainey (Contractor)
Greetings, I have a question about user policies which I hope some can provide some guidance. I have a small set of users who are tightly restricted on our network. They are only allowed to log into certain machines, and mount specific filesystems located on other machines. At the moment

Re: [Freeipa-users] Problem automounting home shares

2017-04-12 Thread Jason B. Nance
Hi Ronald, > Some details regarding my setup: I have a CentOS 7.3 machine acting as > an NFS server. It is a host within my IPA domain and enrolled as an IPA > client. > > [root@ipanfs ~]# cat /etc/exports > > /homeshare*(rw,sec=krb5:krb5i:krb5p) This isn't related to your issue but you

Re: [Freeipa-users] Problem automounting home shares

2017-04-12 Thread Jason B. Nance
>> You cannot use indirect mounting and enablemkhomedir at the same time. >> Indirect >> mounts require that the directory you are attempting to mount already exists >> on >> the NFS server and that you let autofs fully manage the "parent" directory on >> the client machine. In this case, no

Re: [Freeipa-users] Problem automounting home shares

2017-04-12 Thread Ronald Wimmer
On 2017-04-12 14:55, Jason B. Nance wrote: [...] You cannot use indirect mounting and enablemkhomedir at the same time. Indirect mounts require that the directory you are attempting to mount already exists on the NFS server and that you let autofs fully manage the "parent" directory on the

[Freeipa-users] ipa-adtrust-install failing at samba restart

2017-04-12 Thread SOLER SANGUESA Miguel
Hello, I have the same error, can you explain how did you fixed, please? Thanks & Regards. __ -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] 'NoneType' object is not iterable when removing broken ipa-server replica

2017-04-12 Thread Jake
Rob, IPA Version: rpm -qa ipa-server ipa-server-4.4.0-14.el7.centos.1.1.x86_64 Contents of httpd/error_log [Wed Apr 12 08:53:21.442283 2017] [:error] [pid 19175] ipa: ERROR: non-public: TypeError: 'NoneType' object is not iterable [Wed Apr 12 08:53:21.442318 2017] [:error] [pid 19175]

[Freeipa-users] bind-dyndb-ldap replication errors

2017-04-12 Thread Brendan Kearney
list members, i am using bind-dyndb-ldap without freeipa, and i consistently get the below errors in my logs: update_zone (syncrepl) failed for master zone DN 'idnsName=24.168.192.in-addr.arpa.,cn=dns,ou=Daemons,dc=bpk2,dc=com'. Zones can be outdated, run `rndc reload`: unexpected error

Re: [Freeipa-users] Centos7/IPA4.2 : disable/enable hosts

2017-04-12 Thread Johan Vermeulen
Hello Rob, doing it this way indeed works. Thanks for helping me out. Greetings, J. 2017-04-11 16:54 GMT+02:00 Rob Crittenden : > Johan Vermeulen wrote: > > Rob, > > > > thanks for helping me out. > > I support some 80 laptop users at the moment, all running Centos7. > >

[Freeipa-users] Problem automounting home shares

2017-04-12 Thread Ronald Wimmer
Hi, I am trying to automount user home shares from an NFS server. Up to now, without success. Some details regarding my setup: I have a CentOS 7.3 machine acting as an NFS server. It is a host within my IPA domain and enrolled as an IPA client. [root@ipanfs ~]# cat /etc/exports

Re: [Freeipa-users] ldap.conf

2017-04-12 Thread Jakub Hrozek
On Wed, Apr 12, 2017 at 09:47:06AM +0200, Jakub Hrozek wrote: > You can drop this line as well, it's the default for the AD provider. s/AD/IPA/ -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more

Re: [Freeipa-users] ldap.conf

2017-04-12 Thread Jakub Hrozek
On Wed, Apr 12, 2017 at 09:30:38AM +0200, Christoph Kaminski wrote: > Hi > > are the files /etc/ldap.conf and /etc/openldap/ldap.conf for ipa client > and/or server systeme necessary? What is the function of them? They configure the openldap library. If you have an application (like ldapsearch)

Re: [Freeipa-users] ldap.conf

2017-04-12 Thread Jakub Hrozek
On Wed, Apr 12, 2017 at 09:34:59AM +0200, Christoph Kaminski wrote: > Hi > > is this ok as config for sssd on centos 7 AND 6? > > [domain/hso] > cache_credentials = True > krb5_store_password_if_offline = True > id_provider = ipa > ldap_tls_cacert = /etc/ipa/ca.crt You can drop this line as

[Freeipa-users] minimal sssd config

2017-04-12 Thread Christoph Kaminski
Hi is this ok as config for sssd on centos 7 AND 6? [domain/hso] cache_credentials = True krb5_store_password_if_offline = True id_provider = ipa ldap_tls_cacert = /etc/ipa/ca.crt [sssd] services = nss, pam, ssh, sudo, autofs config_file_version = 2 domains = hso [nss] [pam] [sudo] [autofs]

[Freeipa-users] ldap.conf

2017-04-12 Thread Christoph Kaminski
Hi is this ok as config for sssd on centos 7 AND 6? [domain/hso] cache_credentials = True krb5_store_password_if_offline = True id_provider = ipa ldap_tls_cacert = /etc/ipa/ca.crt [sssd] services = nss, pam, ssh, sudo, autofs config_file_version = 2 domains = hso [nss] [pam] [sudo] [autofs]

[Freeipa-users] ldap.conf

2017-04-12 Thread Christoph Kaminski
Hi are the files /etc/ldap.conf and /etc/openldap/ldap.conf for ipa client and/or server systeme necessary? What is the function of them? Greetz Christoph Kaminski -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to

Re: [Freeipa-users] SSH access to only specific hosts useding ssh keys

2017-04-12 Thread Jakub Hrozek
On Tue, Apr 11, 2017 at 10:50:34PM -0400, Tym Rehm wrote: > So I want a user "bob" to ssh into server1 as the username of "support" > with support@server1, but not let Bob ssh into support@server2. I have > Bob's ssh public key added to the support user. I can block Bob from > server1 or server2