[Freeipa-users] DNSSEC warning when DNSSEC should be disabled

2017-04-13 Thread Dan Dietterich
I am seeing inconsistent results configuring a DNS forward zone. At a bash prompt, as root, after kinit admin, I do: ipa dnsforwardzone-add domain.internal --forwarder= ww.xx.yy.zz --forward-policy=only That works fine and does not warn about DNSSEC. In a Java webapp running as root under a

Re: [Freeipa-users] add trust between FreeIPA and Samba AD DC

2017-04-13 Thread Alexander Bokovoy
On Thu, 13 Apr 2017, Tiemen Ruiten wrote: Excerpt from the httpd error_log on the FreeIPA replica: [Thu Apr 13 11:17:44.072996 2017] [:error] [pid 28346] ipa: INFO: [jsonserver_kerb] ad...@i.rdmedia.com: ping(): SUCCESS [Thu Apr 13 11:17:50.708019 2017] [:error] [pid 28347] ipa: ERROR:

[Freeipa-users] replica creation problems

2017-04-13 Thread Josh
Scenario: RHEL7 IPA with DNS and without CA. Initial installation was done using --http-cert-file, --dirsrv-cert-file with certificates from an issuer A. For a number of reasons replica must be created with certificates from an issuer B. A bundle consisting of key, server certificate and a

Re: [Freeipa-users] add trust between FreeIPA and Samba AD DC

2017-04-13 Thread Tiemen Ruiten
Excerpt from the httpd error_log on the FreeIPA replica: [Thu Apr 13 11:17:44.072996 2017] [:error] [pid 28346] ipa: INFO: [jsonserver_kerb] ad...@i.rdmedia.com: ping(): SUCCESS [Thu Apr 13 11:17:50.708019 2017] [:error] [pid 28347] ipa: ERROR: non-public: RuntimeError: (-1073741811, 'Unexpected

Re: [Freeipa-users] add trust between FreeIPA and Samba AD DC

2017-04-13 Thread Tiemen Ruiten
Of course: FreeIPA versions: [root@ipa-ams-01 samba]# rpm -qa | grep ipa libipa_hbac-1.14.0-43.el7_3.14.x86_64 sssd-ipa-1.14.0-43.el7_3.14.x86_64 python2-ipaclient-4.4.0-14.el7.centos.7.noarch ipa-server-trust-ad-4.4.0-14.el7.centos.7.x86_64 ipa-client-common-4.4.0-14.el7.centos.7.noarch

Re: [Freeipa-users] add trust between FreeIPA and Samba AD DC

2017-04-13 Thread Alexander Bokovoy
On to, 13 huhti 2017, Tiemen Ruiten wrote: Apologies, now with proper subject. On 13 April 2017 at 16:49, Tiemen Ruiten wrote: Hello! As I understand from this thread, it should be possible to

[Freeipa-users] add trust between FreeIPA and Samba AD DC

2017-04-13 Thread Tiemen Ruiten
Apologies, now with proper subject. On 13 April 2017 at 16:49, Tiemen Ruiten wrote: > Hello! > > As I understand from this > > thread, > it should be possible to setup a trust between FreeIPA and

[Freeipa-users] (no subject)

2017-04-13 Thread Tiemen Ruiten
Hello! As I understand from this thread, it should be possible to setup a trust between FreeIPA and Samba4. My AD domain is clients.i.rdmedia.com, it's a subdomain of my FreeIPA domain, i.rdmedia.com. Therefore I added a

Re: [Freeipa-users] any tips or horror stories about automating dynamic enrollment and removal of IPA clients?

2017-04-13 Thread Chris Dagdigian
Hah! I've been deep into SGE (user, trainer, consultant) for years. Our setups are pretty similar but I'm hoping to use the AWS cfnCluster stack (https://github.com/awslabs/cfncluster) because it is officially blessed by AWS and since it's a cloudformation template at the end of the day it's

[Freeipa-users] Using fqdn in /etc/hostname causes duplicate domain in DHCP dyndns update

2017-04-13 Thread Kees Bakker
Hey, Hopefully someone here can hint me towards a (easier) solution. In short, for correct DHCP-DDNS updates there should be a non-fqdn in /etc/hostname To install IPA client I am forced to have a fqdn in /etc/hostname. But now the DHCP-DDNS results in duplicated domain portion of the DNS

Re: [Freeipa-users] any tips or horror stories about automating dynamic enrollment and removal of IPA clients?

2017-04-13 Thread Simo Sorce
On Thu, 2017-04-13 at 17:16 +0300, Alexander Bokovoy wrote: > On to, 13 huhti 2017, Simo Sorce wrote: > >On Thu, 2017-04-13 at 08:05 -0400, Chris Dagdigian wrote: > >> Hi folks, > >> > >> I've got a high performance computing (HPC) use case that will need AD > >> integration for user identity

Re: [Freeipa-users] any tips or horror stories about automating dynamic enrollment and removal of IPA clients?

2017-04-13 Thread Alexander Bokovoy
On to, 13 huhti 2017, Simo Sorce wrote: On Thu, 2017-04-13 at 08:05 -0400, Chris Dagdigian wrote: Hi folks, I've got a high performance computing (HPC) use case that will need AD integration for user identity management. We've got a working IPA server in AWS that has 1-way trusts going to

Re: [Freeipa-users] any tips or horror stories about automating dynamic enrollment and removal of IPA clients?

2017-04-13 Thread Simo Sorce
On Thu, 2017-04-13 at 08:05 -0400, Chris Dagdigian wrote: > Hi folks, > > I've got a high performance computing (HPC) use case that will need AD > integration for user identity management. We've got a working IPA server > in AWS that has 1-way trusts going to several remote AD forests and >

Re: [Freeipa-users] any tips or horror stories about automating dynamic enrollment and removal of IPA clients?

2017-04-13 Thread Gerald-Markus Zabos
Am Donnerstag, den 13.04.2017, 08:05 -0400 schrieb Chris Dagdigian: > Right now I'm leaning towards Option #2 but would love to hear > experiences regarding moderate-scale automatic enrollment and removal of > clients! > > -Chris Hi Chris, we're facing a similar use case from day to day, but

Re: [Freeipa-users] Problem automounting home shares

2017-04-13 Thread Ronald Wimmer
On 2017-04-13 12:47, Ronald Wimmer wrote: On 2017-04-12 17:21, Jason B. Nance wrote: [...] You can still use autofs and mkhomdir, just use a direct mount for /home instead of indirect mounts. In other words, mount "/home" entirely vs. "/home/" individually. Thanks for clarification. I made

Re: [Freeipa-users] password history

2017-04-13 Thread Richard Neuboeck
On 04/13/2017 01:00 PM, Alexander Bokovoy wrote: > Password history is stored in passwordHistory attribute. This attribute > is not returned by default, one have to specify it explicitly. thanks! -- /dev/null signature.asc Description: OpenPGP digital signature -- Manage your subscription

[Freeipa-users] any tips or horror stories about automating dynamic enrollment and removal of IPA clients?

2017-04-13 Thread Chris Dagdigian
Hi folks, I've got a high performance computing (HPC) use case that will need AD integration for user identity management. We've got a working IPA server in AWS that has 1-way trusts going to several remote AD forests and child domains. Works fine but so far all of the enrolled clients are

Re: [Freeipa-users] password history

2017-04-13 Thread Alexander Bokovoy
On to, 13 huhti 2017, Richard Neuboeck wrote: Hi there, I'm hoping someone can help me find the password history entries for a particular user. The policy is set up to store 10 passwords. Changing the password confirmS that the history works properly. From what I've found online I was lead to

Re: [Freeipa-users] Problem automounting home shares

2017-04-13 Thread Ronald Wimmer
On 2017-04-12 17:21, Jason B. Nance wrote: [...] You can still use autofs and mkhomdir, just use a direct mount for /home instead of indirect mounts. In other words, mount "/home" entirely vs. "/home/" individually. Thanks for clarification. I made a direct map for /home now that looks like:

[Freeipa-users] password history

2017-04-13 Thread Richard Neuboeck
Hi there, I'm hoping someone can help me find the password history entries for a particular user. The policy is set up to store 10 passwords. Changing the password confirmS that the history works properly. From what I've found online I was lead to believe that the history entries are stored in

Re: [Freeipa-users] bind-dyndb-ldap replication errors

2017-04-13 Thread Tomas Krizek
On 04/12/2017 02:26 PM, Brendan Kearney wrote: > list members, > > i am using bind-dyndb-ldap without freeipa, and i consistently get the > below errors in my logs: > > update_zone (syncrepl) failed for master zone DN > 'idnsName=24.168.192.in-addr.arpa.,cn=dns,ou=Daemons,dc=bpk2,dc=com'. > Zones