Hi,
On Fri, Oct 23, 2009 at 12:50:13PM +, Simo Sorce wrote:
> On Thu, 2009-10-22 at 18:13 -0700, Sean Brady wrote:
> > If there is anything that I can do to assist with this project,
> > whether it be documentation editing, testing, financial (to a limited
> > degree), or anything else, please
On Fri, Dec 18, 2009 at 03:13:22PM -0500, Dan Scott wrote:
>
> I've just read Simo Sorce's comments about system users and I think
> that this may be causing some of my problems. If I read this
> correctly, I cannot just ssh from one machine to another in a
> different realm using a user in the fi
On Thu, Feb 18, 2010 at 02:07:54PM -0500, Rob Crittenden wrote:
>
> Please take a moment to play with these pages. Please do not pay
> attention to style, rather focus attention to the work flow, layout and
> data being added, displayed or modified. We need to understand if the
> direction th
On Tue, May 11, 2010 at 04:42:26PM -0500, Rob Townley wrote:
> Microsoft is touting "Direct Access" as a main reason to upgrade to
> Win2008R2 / Win7.
All i see there functionalitywise can be provided by a vpn-endpoint
using kerberos/ldap for authentication/authorization.
As a feature i read 'us
On Wed, May 12, 2010 at 12:24:00PM -0500, Rob Townley wrote:
>
> Yes, it is a machine level as opposed to user level vpn. tinc would
> have to run all machines to make it the easiest to use. With freeipa,
> that could be easy.
>
> The keys currently are RSA public / private keypairs.
>
> Does
On Thu, Jul 22, 2010 at 03:30:23PM -0400, Scott Duckworth wrote:
>
> There are almost 120,000 users in our directory, and we currently have ~200
> Linux systems that might use SSSD, soon scaling to >500 systems. I imagine
> that even 500 systems is only a medium-scale installation compared to som
On Mon, Jan 03, 2011 at 07:37:51PM +0100, Roland Kaeser wrote:
> Its sad, but in the most cases, sysadmins have to deal with
> windows machines in their network.
True, but IMHO the strategy FreeIPA is currently following in doing
interop with crossrealm-trusts is the ony longterm way to go.
Spendi
Hi,
On Mon, Mar 21, 2011 at 11:43:39AM -0500, Steven Bernstein wrote:
>
> My point is: When I go to run the installation script on my Fedora box, it
> tells me the script cannot be run unless the IP resolves in both
> directions. Is there a 'decent' way to go 'round this? Looking for help,
> if
Hi,
On Tue, Mar 22, 2011 at 10:49:07AM -0500, Steven Bernstein wrote:
> Would you be able to point me towards an instructable / how-to on that,
> please?
These were my notes for setting it up on rhel5 some time ago:
http://fluxcoil.net/doku.php/kerberos/3_setup_bind
Yet one has to know some bas
Hi,
On Wed, Jan 23, 2013 at 02:50:06PM -0800, Eric Chennells wrote:
>
> I have followed the instuctions of these two guides:
> http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/Using_Micro
> soft_Windows.html
> http://freeipa.org/page/Windows_authentication_against_FreeIPA
>
> Ker
Hi,
On Thu, Jan 24, 2013 at 01:36:04PM -0800, Eric Chennells wrote:
> [windows kerberos client]
>
> Is anyone aware of if there is an LDAP related configuration needed? It
> seems like only setting up the kerberos authentication is not enough.
The only working way with unmodified [1] Windows as
On Mon, Feb 11, 2013 at 12:00:22PM -0500, rashard.ke...@sita.aero wrote:
> I was wondering if I need to be concerned about IPA 2 being updated
> automatically to IPA 3? We have a working IPA 2 environment in place now
> and wanted to know if IPA needed to be added to an exclude list. We are
> af
On Mon, Feb 11, 2013 at 01:25:56PM -0500, Rob Crittenden wrote:
> Christian Horn wrote:
> >
> >If you have the old system only receiving z-stream updates, so i.e.
> >6.3.z for a RHEL6.3 then you will stay on ipa2.
> >
> >I just tested the upgrade of a populated ipa
On Mon, Feb 11, 2013 at 02:26:06PM -0500, Rob Crittenden wrote:
> Christian Horn wrote:
> >On Mon, Feb 11, 2013 at 01:25:56PM -0500, Rob Crittenden wrote:
> >>Christian Horn wrote:
> >>>
> >>>If you have the old system only receiving z-stream updates, so i
On Mon, Feb 11, 2013 at 09:05:40PM +, Steven Jones wrote:
> Personally Im very worried, 6.2 to 6.3 went badly and this looks like a
> bigger upgrade
I might miss something.. but cant one create a "throw away replica"
of the old environment, use that then separatedly and try out the
upgrade wi
Hi,
On Mon, Feb 25, 2013 at 09:46:49AM +0100, Sigbjorn Lie wrote:
>
> $ ipa dnszone-add example.com --name-server=ns01.example.com
> --admin-email=hostmaster.example.com
> ipa: ERROR: attribute "idnsAllowTransfer" not allowed
>
> [..]
>
> Is this a known error?
Yes,
the idnsZone objectClass e
Hoi,
Dale Macartneyさんが書きました:
>
> I'm open to hear some opinions and thoughts on what the best way to
> auto-provision service principles in an environment with a 100%
> autonomous build process..
>
> Lets say for example, I wanted to provision a mail server and configure
> dovecot SSO in the sam
Dale Macartneyさんが書きました:
>
> On 03/11/2013 11:04 AM, Christian Horn wrote:
> >
> > How about having service-add/ipa-getkeytab done on the server,
> > and having the keytab deployed onto the clientsystem using scp from
> > the server, or via configmanagement?
Hi,
On Tue, Mar 19, 2013 at 10:48:31AM -0400, Guy Matz wrote:
> Hi! Does anyone know of a recent & detailed
> installation/configuration guide for IPA? Is the InstallAndDeploy
> wiki (http://freeipa.org/page/InstallAndDeploy) still appropriate?
> It mentions Fedora 7, so I'm thinking it might be
Hi,
On Tue, Mar 26, 2013 at 05:02:34PM +0100, Petr Viktorin wrote:
>
> We will soon be introducing a way to install IPA with custom
> certificates without a CA at all. When that is merged, it will no
> longer be possible to install a self-sign server.
I see that the change in functionality is in
On Thu, Mar 28, 2013 at 09:32:36AM +0100, Petr Viktorin wrote:
>
> To clarify: this is about removing the --selfsign option to
> ipa-server-install, which installs a limited CA (for example, it
> doesn't support CA replication or cert-find).
>
> The default Dogtag CA also uses a self-signed certi
Hi,
On Sun, Jun 16, 2013 at 11:49:18AM +0530, RK RK wrote:
>
> One thing I want to know is can we block the access to USB storage devices
> like(pendrive, usb-CDROM etc.,) for normal users who are logging into
> client machines in the IPA domain.
This is more about systems administration than IP
On Sat, Sep 07, 2013 at 12:06:37PM -0500, Dean Hunter wrote:
> Are [1] and[2] still the current and best sources of information for
> configuring sudo for use with the current release of FreeIPA on Fedora
> 19?
>
> 1.
> http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/sudo.html
> 2
Hi,
On Mon, Sep 16, 2013 at 04:04:49PM +, Ondrej Valousek wrote:
> Is there any howto describing Firefox (or IE, if possible) authenticating
> against Apache web server using GSSAPI/Kerberos?
> Both client & server in the same IPA domain.
> Ideally I would like to know FF and Apache setup +
On Tue, Sep 24, 2013 at 11:23:29AM -0600, Erinn Looney-Triggs wrote:
> I wanted to bring up the idea of integrating TLSA records into FreeIPA
> so that a host that is issued a certificate for say the web server (via
> dogtag) would also publish that information in DNS using a TLSA record.
> This is
On Wed, Sep 25, 2013 at 08:52:53AM +0200, Petr Spacek wrote:
> On 25.9.2013 08:20, Christian Horn wrote:
> >
> >Hm.. another nice idea would be to announce services via
> >zeroconf/bonjour. I guess effectively its the same as having clients
> >search in DNS "
On Wed, Sep 25, 2013 at 09:23:06AM +0200, Jakub Hrozek wrote:
> On Wed, Sep 25, 2013 at 09:07:17AM +0200, Christian Horn wrote:
> > On Wed, Sep 25, 2013 at 08:52:53AM +0200, Petr Spacek wrote:
> > > On 25.9.2013 08:20, Christian Horn wrote:
> > > >
> > &
On Wed, Sep 25, 2013 at 10:43:16AM +0300, Alexander Bokovoy wrote:
> Before adding a support for this in FreeIPA it is worth to see if any of
> supposed clients would already have it supported.
I was more having in mind to announce services that IPA learns
about automatically, but the server offe
Hi,
On Tue, Oct 01, 2013 at 05:11:16PM +0200, Petr Spacek wrote:
> Questions are:
> - For what purpose do you use views?
I see only use for 2 views:
a) Internal clients, domain members. They
- see everything (internet DNS records plus IPA domain
data)
- can request recur
Hi,
On Wed, Dec 04, 2013 at 10:52:58AM -0500, Dimitar Georgievski wrote:
>
> I plan to install FreeIPA on CentOS 6.4. Initially FreeIPA should provide
> secure authentication and authorization for system (shell) accounts (users
> and groups) by integration with SSSD.
> There is already a DNS ser
Hi,
On Thu, Dec 26, 2013 at 11:59:28AM +0600, Arthur Faizullin wrote:
>
> As I mentioned earlier in my previous topic, when I do:
> # authconfig --enablemkhomedir update
> that somehow makes sssd off (disables autostart), so I should do:
> # chkconfig sssd on
> os: EL6 (CentOS)
> ipa version:
On Thu, Feb 06, 2014 at 09:33:08AM -0500, Mauricio Tavares wrote:
> Where can I configure the range, or at least starting value, for
> the uid and gid that will be used when creating user accounts?
I think this helps:
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linu
On Mon, May 23, 2011 at 08:58:53PM +, Steven Jones wrote:
>
> I just built a brand new RHEL6.1 64bit server and installed ipa-server
> and despite setting up the chkconfig's it wont start on boot...it
> will start manually later by hand...
Works out of the box for my virt-installed virtual
Hi,
On Mon, May 23, 2011 at 11:20:27PM +0200, Sigbjorn Lie wrote:
>
> My issue is startup of IPA only occurs when the host is extremely
> busy, such as after a reboot of the host machine when the disk is
> grinding and the cpu is almost going up in flames of all the virtual
> machines starting at
On Tue, May 24, 2011 at 11:13:06AM +0200, Sigbjorn Lie wrote:
>
> Do you have any examples for how to do cgroup configuration for a KVM
> machine? I've had a quick
> browse through the cgrules.conf file, and I don't see an option for
> specifying KVM machines...
Look at it as a usual process.
L
On Wed, May 25, 2011 at 01:29:41PM -0800, Erinn Looney-Triggs wrote:
> On 05/25/2011 01:21 PM, Steven Jones wrote:
> >
> > As far as I am aware Windows clients can only authenticate against ADs. So
> > if you need to authenticate Windows you need a password trust/sync setup
> > with AD and yes y
On Thu, May 26, 2011 at 05:51:59AM +, Steven Jones wrote:
> Quickly as Im late.
>
> We are setting up cross realm from AD to a school who runs MIT Kerberos with
> openldap underneathA windows client in our domain can then connect to a
> school resource where its connected to the school's
On Tue, May 31, 2011 at 02:17:44AM +, Steven Jones wrote:
>
> So the docs should cover this at the least
It's actually not a problem of ipa but a feature of your shell.
I bet there is documentation for your shell explaining the usage
of &.
In case you use a shell which does not use & to c
Hi,
On Fri, Jun 17, 2011 at 02:15:41AM -0400, Tim Hildred wrote:
> I have a VM running FreeIPA, and have the DNS SRV records referencing
> ldap and kerberos mentioned in the documentation.
So things used by ipa clients.
> In trying to set the domain of my Win2k8 VM to mysandbox.com, i get
>
On Thu, Jun 23, 2011 at 02:33:43PM -0400, Deon Lackey wrote:
>
> I'm culling through some of the recent issues on this list to make
> sure they end up on the FreeIPA wiki or in the FreeIPA guide
> (https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/index.html).
Really nice to see
On Thu, Jun 30, 2011 at 01:58:32PM +0700, Muhammad Naufal wrote:
> Now it can authenticate against IPA server but no ticket generated when i
> type klist in XP cmd prompt.
> As a result i can not access IPA web ui.
IIRC there can multiple ticket caches be used there.
Maybe the MIT windows kerberos
On Mon, Oct 03, 2011 at 10:03:12AM +0200, Ondrej Valousek wrote:
> Just wondering why would anyone want to sync freeIPA and AD - both
> can serve Linux systems fine, so if I already have AD, I no longer
> require IPA.
- the error messages of an AD might be strange to deal with for
unix/linux admin
On Wed, Nov 09, 2011 at 09:21:02PM -0600, ~Stack~ wrote:
>
> Does anyone know what version of IPA will be in 6.2? I dug around on
> their ftp site in the beta section [1] looking for SRPMS but I didn't
> see anything. Well they do have a ipa-client-2.0-2.el6.src.rpm but I
> didn't see anything for
On Wed, Feb 08, 2012 at 11:13:36AM +, Dale Macartney wrote:
>
> i'm dabbling with automated provisioning of ipa client servers, and i'm
> a little perplexed on how to add a keytab to a system during the %post
> section of a kickstart...
>
> i've run ipa-client-install -U -p admin -w redhat123
Hi,
On Wed, Feb 29, 2012 at 11:24:25AM -0500, Kelvin Edmison wrote:
>
> I am running into an issue where users cannot access a samba volume if
> their only access is via a secondary group. For example, if testuser's
> primary group is ipausers, and secondary groups include testgroup, and the
>
On Mon, Aug 27, 2012 at 08:57:20AM +0200, David Sastre wrote:
> On Sun, Aug 26, 2012 at 6:05 AM, KodaK wrote:
> > Regardless, I need some help. I need some help with comparisons
> > between FreeIPA and AD, and the problems and issues one might
> > encounter when trying to authenticate Unix machine
Hi,
On Mon, Sep 10, 2012 at 06:07:57PM -0400, Dmitri Pal wrote:
>
> Does anyone use logrotate?
Not yet, indeed good idea.
> Have you seen something else that would be valuable for others to
> consider when configuring logrotate with IPA?
IPA has many services writing to independent files. H
Hi,
On Tue, Sep 25, 2012 at 12:17:47AM +0200, James James wrote:
>
> we are planning to install 150 freeipa clients and I was wondering if there
> is a way to easily install (from kickstart) nfsv4 client.
>
> I can add host with
>
> # ipa host-add --password=secret
>
> But to get the keytab (h
Hi,
On Thu, Oct 25, 2012 at 07:55:31PM +, Steven Jones wrote:
>
> One thing that has plagued me for the last 9 months is trying to fault find
> why something doesnt work when setting up or in operation. Looking at each
> section, say the passsync I think it would be useful to have a
> trou
On Fri, Dec 07, 2012 at 01:02:01PM +0100, Petr Spacek wrote:
>
> I accidentally found following how-to:
> http://wiki.linux-nfs.org/wiki/index.php/NFS_and_FreeIPA
> Did somebody try it? Did it work?
Looks good, althou I like the 'nfsroot' style of nfsv4.
My notes are at
http://fluxcoil.net/doku.
50 matches
Mail list logo