hi,
This seems to happen only in 32bits vm's. At least in my limited
testing, 2 out 2 32bits hosts running 6.5 after upgrading have this
problem. A amd64 host is ok.
$ rpm -qa | grep certmonger
certmonger-0.75.13-1.el6.x86_64
$ rpm -qa | grep certmonger
certmonger-0.75.13-1.el6.i686
--
hi,
is this the right list to post certmonger questions?
Here I see only a developer's list without too much activity:
https://fedorahosted.org/certmonger/
My question is simple. After upgrading a vm running centos 6.5 to 6.6
I am seeing this error on reboot in messages:
Nov 10 15:51:31
Hi Nalin,
On Mon, Nov 10, 2014 at 5:19 PM, Nalin Dahyabhai na...@redhat.com wrote:
On Mon, Nov 10, 2014 at 04:17:49PM +0100, Natxo Asenjo wrote:
How can I debug this?
First thing would be to run the daemon with additional logging - I
usually use '-d3' to watch what's going on while
hi Martin,
On Fri, Nov 7, 2014 at 10:46 AM, Martin Kosek mko...@redhat.com wrote:
Good! I am glad you fixed the problem. I added this case to
http://www.freeipa.org/page/Troubleshooting#CRL_gets_very_old
nice. Hopefully it will help someone.
I am wondering what caused the issue. In the
hi,
On Wed, Nov 5, 2014 at 9:39 AM, Martin Kosek mko...@redhat.com wrote:
On 11/04/2014 01:39 PM, Natxo Asenjo wrote:
hi,
On Mon, Nov 3, 2014 at 5:21 PM, Rob Crittenden rcrit...@redhat.com wrote:
Natxo Asenjo wrote:
How often does the crl list get generated? i still do not see recent data
On Wed, Nov 5, 2014 at 7:37 PM, Natxo Asenjo natxo.ase...@gmail.com wrote:
6489.CRLIssuingPoint-MasterCRL - [03/Nov/2014:09:00:00 CET] [20] [3]
FileBasedPublisher: java.io.FileNotFoundException:
/var/lib/ipa/pki-ca/publish/MasterCRL-20141103-09.temp (Permission
denied)
And I think I found
hi,
By the way, is it safe to rename this file:
$ ls -lh /var/lib/pki-ca/logs/debug
-rw-r-. 1 pkiuser pkiuser 841M Nov 5 19:54 /var/lib/pki-ca/logs/debug
It's quite big :-). Can I just rename it while the dirsrv is running
and will a new one be created or do I have to stop the pki-cad
On Wed, Nov 5, 2014 at 7:45 PM, Natxo Asenjo natxo.ase...@gmail.com wrote:
And I think I found it:
https://fedorahosted.org/freeipa/ticket/3727
permissions of that folder:
$ ls -ld publish/
drwxr-xr-x. 2 root root 73728 Jun 13 2013 publish/
I just changed them to pkiuser:pkiuser, let's
hi,
I have been really busy, apologies for the delay in answering.
On Wed, Oct 22, 2014 at 5:39 PM, Rob Crittenden rcrit...@redhat.com wrote:
Natxo Asenjo wrote:
On Mon, Oct 13, 2014 at 9:39 PM, Natxo Asenjo natxo.ase...@gmail.com wrote:
But if I get it from the crl generator using /ipa/crl
On Mon, Oct 13, 2014 at 9:39 PM, Natxo Asenjo natxo.ase...@gmail.com wrote:
But if I get it from the crl generator using /ipa/crl/MasterCRL.bin I
still get the old crl dated june 28th last year.
Should I modify ipa-pki-proxy.conf as well on the CRL generator host
to point to the /ca/ee/ca
hi,
yet another certificate authority question.
We have a centos 6.5 ipa environment with two domain controllers
(kdc01, kdc02). The first one is the first replica and maintains the
crl (or so it should).
Recently our monitoring warned us that the web host certificate for
kdc01 was about to
On Mon, Oct 13, 2014 at 4:27 PM, Natxo Asenjo natxo.ase...@gmail.com wrote:
But if I go to the crl url (http://kdc01.domain.tld/ipa.crl ) all the
files I see are very old (the MasterCRL.bin file is dated 28 june
2013), and on the kdc02 it is newer (July 2 2013).
on 28 June 2013 I patched
On Mon, Oct 13, 2014 at 7:53 PM, Rob Crittenden rcrit...@redhat.com wrote:
Natxo Asenjo wrote:
On Mon, Oct 13, 2014 at 4:27 PM, Natxo Asenjo natxo.ase...@gmail.com wrote:
But if I go to the crl url (http://kdc01.domain.tld/ipa.crl ) all the
files I see are very old (the MasterCRL.bin file
On Mon, Oct 13, 2014 at 8:17 PM, Natxo Asenjo natxo.ase...@gmail.com wrote:
On Mon, Oct 13, 2014 at 7:53 PM, Rob Crittenden rcrit...@redhat.com wrote:
Natxo Asenjo wrote:
On Mon, Oct 13, 2014 at 4:27 PM, Natxo Asenjo natxo.ase...@gmail.com
wrote:
But if I go to the crl url (http://kdc01
hi,
today our monitoring system started warning us that the web ui certificate
for our first kdc will expire in 30 days.
I have checked manually with this command:
$ sudo getcert list |grep auto-renewauto-renew: yes
auto-renew: yes
auto-renew: yes
auto-renew: yes
auto-renew:
On Thu, Oct 9, 2014 at 8:42 AM, Natxo Asenjo natxo.ase...@gmail.com wrote:
hi,
today our monitoring system started warning us that the web ui certificate
for our first kdc will expire in 30 days.
I have checked manually with this command:
$ sudo getcert list |grep auto-renewauto
hi,
if during the enrollment of a host a host certificate is created, then
this will be a nssdb type certificate.
However, lots of applications use file certificates and we can very
easily create one of those (even using configuration management
tools):
/usr/bin/ipa-getcert request -r -f
On Thu, Oct 9, 2014 at 2:33 PM, Natxo Asenjo natxo.ase...@gmail.com wrote:
hi,
if during the enrollment of a host a host certificate is created, then
this will be a nssdb type certificate.
However, lots of applications use file certificates and we can very
easily create one of those (even
hi,
On Thu, Sep 18, 2014 at 4:43 PM, Rob Crittenden rcrit...@redhat.com wrote:
Yes, you don't need to obtain a machine certificate. In fact we have
stopped doing this upstream.
Do you mean ipa will not have a CA in the future? Or will it be optional?
Or am I misunderstanding this :-) ? I
hi,
On Thu, Sep 18, 2014 at 9:05 PM, Rob Crittenden rcrit...@redhat.com wrote:
Natxo Asenjo wrote:
hi,
On Thu, Sep 18, 2014 at 4:43 PM, Rob Crittenden rcrit...@redhat.com
mailto:rcrit...@redhat.com wrote:
Yes, you don't need to obtain a machine certificate. In fact we have
On Thu, Sep 18, 2014 at 10:51 PM, Rob Crittenden rcrit...@redhat.com
wrote:
Natxo Asenjo wrote:
ok. I was thinking on starting a pilot with dot1.x and hosts
certificates are usually used for this, so it would be nice to have a
cli switch during enrollment.
Ok, do you have a preference
hi,
This might save some time to someone, so let me post it to the list.
TLDR, when using php to connect to an AD ldaps host using ADCS from IPA
joined hosts modify /etc/openldap/ldap.conf or $HOME/.ldaprc and change the
TLS_CACERT environment variable to
TLS_CACERT
hi,
Centos 6.5.
I want to create a certificate request for our mysql servers. I came up
with this command line:
$ sudo /usr/bin/ipa-getcert request -r -f /etc/pki/tls/certs/`hostname
--fqdn`-mysql.crt -k /etc/pki/tls/private/`hostname --fqdn`-mysql.key -D
`dnsdomainname` -U id-kp-serverAuth -K
On Mon, Sep 15, 2014 at 5:03 PM, Rob Crittenden rcrit...@redhat.com wrote:
Natxo Asenjo wrote:
hi,
Centos 6.5.
I want to create a certificate request for our mysql servers. I came up
with this command line:
$ sudo /usr/bin/ipa-getcert request -r -f /etc/pki/tls/certs/`hostname
--fqdn
On Mon, Sep 8, 2014 at 11:44 AM, Gerardo Padierna asl.gera...@gmail.com
wrote:
Hello folks,
hi,
I'm setting up an IPA-server instance aimed to be used primarily for
Linux/Unix clients ssh authentication (with kerberos).
I've managed to successfully set up debian clients (via sssd and also
On Mon, Sep 1, 2014 at 2:48 PM, Tevfik Ceydeliler
tevfik.ceydeli...@astron.yasar.com.tr wrote:
Actually All I wanna do is , give permission to user to use some commanf.
for example apt-get or something else.
I Think I can do it with IPA
right?
sure, I do it all the time. But Lukas was
On Mon, Jun 9, 2014 at 12:16 PM, Matt . yamakasi@gmail.com wrote:
Hi All,
Is it possible in some way to automount a WebDav share to a Ubuntu
Client when a user logings in on the commandline ?
I'm only able to use WebDav on these machines.
autofs should work with webdav, and googling
On Mon, Jun 9, 2014 at 12:41 PM, Matt . yamakasi@gmail.com wrote:
Hi,
I'm only concerned about how to pass the password in this one... it
seesm to be hardcoded and I would like to have it used by
ldap/freeipa.
ideally the webdav server would accept gssapi/kerberos, then you would not
On Thu, Mar 27, 2014 at 7:37 AM, צביקה הרמתי haramaty.zv...@gmail.comwrote:
Hi.
I have a working network with IdM (FreeIPA).
I'd like to integrate it with Samba, according to
http://techslaves.org/2011/08/24/freeipa-and-samba-3-integration/
What's the recommended way to backup current IPA
On Thu, Mar 27, 2014 at 7:58 PM, Todd Maugh tma...@boingo.com wrote:
My Master IPA server has been lost,
My replica is still up and functioning.
what is the best way to proceed?
Do I rebuild my master and add it has a replica?
how do I get my master back in line with my IPA env?
On Wed, Jan 15, 2014 at 6:49 AM, Simo Sorce s...@redhat.com wrote:
On Tue, 2014-01-14 at 11:34 -0500, Dmitri Pal wrote:
On 01/14/2014 06:17 AM, Natxo Asenjo wrote:
Is there anything else I can do or do I just have to live with the
error on syslog?
I wonder if putting this user
On Wed, Jan 15, 2014 at 10:59 AM, Jakub Hrozek jhro...@redhat.com wrote:
On Wed, Jan 15, 2014 at 10:09:20AM +0100, Natxo Asenjo wrote:
On what platform are you ? With sudo-sssd integration you shouldn't use
directly ldap anymore.
centos 6.5 on these hosts. So if I use sssd insted of ldap
hi,
after using sudo from ipa extensively I needed to configure a local
user to also use sudo.
This is for monitoring, we use nagios.
It works but now I have lots of error messages in /var/log/messages
like this one:
sudo: GSSAPI Error: Unspecified GSS failure. Minor code may provide
more
On Wed, Dec 4, 2013 at 10:59 AM, Исаев Виталий Анатольевич
is...@fintech.ru wrote:
Dear Freeipa users and developers,
We need to alter the default behavior of the IdM server in the situation
when user exceeds the limit of incorrect password login attempts.
By default the user is getting
On Wed, Dec 4, 2013 at 11:44 AM, Natxo Asenjo natxo.ase...@gmail.com wrote:
On Wed, Dec 4, 2013 at 10:59 AM, Исаев Виталий Анатольевич
is...@fintech.ru wrote:
Dear Freeipa users and developers,
We need to alter the default behavior of the IdM server in the situation
when user exceeds
On Wed, Dec 4, 2013 at 12:05 PM, Martin Kosek mko...@redhat.com wrote:
On 12/04/2013 11:53 AM, Natxo Asenjo wrote:
On Wed, Dec 4, 2013 at 11:44 AM, Natxo Asenjo natxo.ase...@gmail.com wrote:
On Wed, Dec 4, 2013 at 10:59 AM, Исаев Виталий Анатольевич
is...@fintech.ru wrote:
To change a value
hi,
just came accross Erinn Looney-Triggs's excellent writeup on using
kerberos voor relaying e-mail
(https://stomp.colorado.edu/blog/blog/2013/07/09/on-freeipa-postfix-and-a-relaying-smtp-client/)
and have a question.
Would it not be possibly easier to just use the host's keytab
hi,
probably a stupid question but why do we need to have a host spn in the
kerberos domain for the nfsv4 client to work?
I do not need a host spn principal to access a cifs share on a Windows
AD environment, I can just kinit user@AD.domain from my laptop that is
not joined to the AD domain
On 08/28/2013 12:00 PM, Ondrej Valousek wrote:
Because with NFS (v3 or v4) it is a bit more complicated.
With smbclient, you are actually not mounting the filesystem so that the
smbclient is happy with just your TGT.
With NFS, you typically need two tickets:
1. one host (or nfs) so that root
On 07/12/2013 10:55 AM, Christian Schmitt wrote:
I can't start the IPA Service with service ipa start after an reboot.
It fails on the pki-cad service, that only outputs
'grep --help' gives you more information.
I'm really not sure whats the correct error and how to restart ipa now.
logs?
On 07/11/2013 11:39 PM, KodaK wrote:
This only works for sshd, obviously. We do currently have ftp and
telnet open (yeah, I know) but I'm trying
to get those turned off. In the meantime I can use tcp-wrappers to only
allow those machines that need
to connect. This is sub-optimal, since
On 07/08/2013 03:49 PM, Schmitt, Christian wrote:
Hello, is there currently a good way to install FreeIPA or IdM in
virtual machines?
Currently we having some Windows Hyper-V Hypervisors since we are
planning to buy some Dell Hardware that can't run Linux yet, the Dell VRTX.
Also we want to
On Wed, Jun 12, 2013 at 1:56 AM, Sina Owolabi shinacaly...@gmail.com wrote:
Hi
Please help me understand what I am doing wrong:
Im using two RHEL6.4 ipa servers in a multi-master configuration
Instead of creating multiple sudocmdgroups and sudo rules, I tried to subset
what I could see in
On Fri, Jun 7, 2013 at 11:37 AM, Endre Karlson endre.karl...@gmail.com wrote:
Hi, I am seeing some trouble with replication between two of my master
servers. Here's the logs:
[05/Jun/2013:12:59:57 +0200] slapd_ldap_sasl_interactive_bind - Error: could
not perform interactive bind for id []
hi,
just interested. We have noticed that ldap users have this PS1 envvar:
PS1='\s-\v\$ ' instead of the usual [\u@\h \W]\$
This is a confusing moment. Changing the shell to /bin/bash solves this,
but maybe this is not optimal for other systems or users.
--
Groeten,
natxo
On Thu, Jun 6, 2013 at 4:30 PM, Rob Crittenden rcrit...@redhat.com wrote:
Natxo Asenjo wrote:
hi,
just interested. We have noticed that ldap users have this PS1 envvar:
PS1='\s-\v\$ ' instead of the usual [\u@\h \W]\$
This is a confusing moment. Changing the shell to /bin/bash solves
On Sun, Jun 2, 2013 at 9:49 PM, Ryan Cunningham
ryan.cunningham.xy...@gmail.com wrote:
Hello,
I've been evaluating FreeIPA in a lab environment prior to possibly rolling
it out in our enterprise but have been having issues with a few hosts
rejecting SSH logins for users authenticated against
On Mon, Jun 3, 2013 at 12:38 AM, Ryan Cunningham
ryan.cunningham.xy...@gmail.com wrote:
What I see is:
fatal: Access denied for user admin by PAM account configuration
What about disabling selinux?
Whoops, I probably should have caught these myself.
Disabling SELinux fixed one of the
On Wed, May 29, 2013 at 10:55 PM, William Muriithi
william.murii...@gmail.com wrote:
Hello
I have set up gitolite3 and its working fine when I connect to it
through ssh. I am using LDAP (FreeIPA) for authorization.
When I connect through http/https, I am authenticated, but I believe
On Fri, May 24, 2013 at 4:18 PM, Martin Kosek mko...@redhat.com wrote:
Simo, on a side note - I am thinking, would it make sense to create a new
command ipa migrate-ipa which would migrate data from other IPA
installation?
I.e. it would migrate users, groups, hosts, sudo, hbac, automount,
On Sat, Apr 20, 2013 at 8:32 PM, Sumit Bose sb...@redhat.com wrote:
On Fri, Apr 19, 2013 at 10:14:36PM +0200, Natxo Asenjo wrote:
# wbinfo --online-status
BUILTIN : online
IPA : online
AD : offline
# wbinfo --domain-info ad.asenjo.nx
Name : AD
Alt_Name
hi,
while following the instructions in
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/trust-diff-dns-domains.html
I run step 9:
smbclient -L kdc.ipa.asenjo.nx -k
lp_load_ex: changing to config backend registry
Connection to
On Fri, Apr 19, 2013 at 11:27 AM, Sumit Bose sb...@redhat.com wrote:
On Fri, Apr 19, 2013 at 11:03:02AM +0200, Natxo Asenjo wrote:
hi,
while following the instructions in
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/trust
I saw there is a log in /var/log/samba/log.wb-IPA
The log complains about missing keys for the spn for the hostname (not the
fqdn, just the hostname):
Connection to LDAP server failed for the 15 try!
[2013/04/19 11:39:22.352522, 0] ipa_sam.c:3689(bind_callback_cleanup)
kerberos error:
domain
Trust status: Established and verified
And it is working :-)
Awesome.
Thanks!
--
groet,
natxo
--
Groeten,
natxo
On Fri, Apr 19, 2013 at 12:11 PM, Sumit Bose sb...@redhat.com wrote:
On Fri, Apr 19, 2013 at 11:45:47AM +0200, Natxo Asenjo wrote:
I saw there is a log in /var/log/samba
hi,
just a little 'but'.
when verifying the trust (point 12
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/trust-diff-dns-domains.html)
# kinit user
Password for nase...@ipa.asenjo.nx:
[root@kdc ~]# kvno
On Fri, Apr 19, 2013 at 1:08 PM, Sumit Bose sb...@redhat.com wrote:
On Fri, Apr 19, 2013 at 12:47:47PM +0200, Natxo Asenjo wrote:
hi,
just a little 'but'.
when verifying the trust (point 12
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html
hi,
after succesfully configuring the trust between 2 different domains
(IPA.ASENJO.NX and AD.ASENJO.NX) I would like to login from the windows
host to the linux host using the trusted kerberos tickets.
This is my krb.conf in the linux host:
includedir /var/lib/sss/pubconf/krb5.include.d/
hi,
some progress. I disabled the firewall of the linux host (also the kdc,
incidentally). From the Windows host using the AD Domain and Trusts tool I
can verify the trust and using putty I can login and get the linux kerberos
tickets as a windows realm user.
If i enable the firewall and I do
hi,
a bit puzzled now. I have joined another 2k8r2 host to the AD domain that
is trusted by the ipa domain.
As AD\administrator I can ssh to the linux host.
I create a bunch of AD users, standard members of 'Domain Users'. But I
cannot login to the linux host.
When I run wbinfo --online-status
hi,
On a centos 6.4 testlab I am testing a trust with a windows 2008r2 domain
(separate dns domains).
Following the docs
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/trust-diff-dns-domains.html
I install the cifs-utils package but
Is the cifs-utils package really necessary?
cifs-utils is not needed for trusts to function. I guess documentation
was implying that cifs-utils might have been installed for mounting CIFS
shares.
ok, thanks for clarifying this. In the link I posted you can read this:
The cifs-utils package
:
zfs set sharenfs='sec=krb5' pool/dataset
Natxo Asenjo natxo.ase...@gmail.com wrote:
hi,
thanks, still not working though:
# share -F nfs -o sec=krb5 -d homedirs /export/home
Could not share: /export/home: invalid security type
# zfs set sharenfs=sec=krb5 rpool/export/home
cannot set
hi,
apparently what I am trying to do is not very usual because I do not get
any answer on the omnios (opensolaris derivative) mailing list.
I have successfully joined a host to the ipa domain, I can log in the
omnios host as an ipa user, getent works, kerberos works (thanks to Johan
Petersson
hi,
thanks, still not working though:
# share -F nfs -o sec=krb5 -d homedirs /export/home
Could not share: /export/home: invalid security type
# zfs set sharenfs=sec=krb5 rpool/export/home
cannot set property for 'rpool/export/home': 'sharenfs' cannot be set to
invalid options
# zfs set
On Thu, Mar 14, 2013 at 9:41 AM, Dale Macartney
d...@themacartneyclan.com wrote:
Article updated
http://www.freeipa.org/page/Squid_Integration_with_FreeIPA_using_Single_Sign_On
awesome! Thanks,
natxo
___
Freeipa-users mailing list
On Wed, Mar 13, 2013 at 10:45 PM, Dale Macartney
d...@themacartneyclan.com wrote:
I've just deployed a RHEL 6.4 proxy and the guide is still accurate and
works.. however I agree a config file would be a better place for the
options. Both work at the end of the day.
yes, the guide is accurate,
On Fri, Feb 22, 2013 at 4:52 PM, KodaK sako...@gmail.com wrote:
Just curious if anyone has configured HP ILO to authenticate against
IPA. I'm just starting out and the fact that the ILO configuration
screen has a section for a SID has me a bit concerned.
i have not touched new HP gear for a
On Tue, Feb 19, 2013 at 5:58 PM, Bret Wortman
bret.wort...@damascusgrp.comwrote:
Digging a bit deeper, I found this in /var/log/pki-ca/catalina.out:
:
Could not connect to LDAP server host oldmaster.my.com port 7389 Error
netscape.ldap.LDAPException: failed to connect to server ldap://
On Thu, Feb 14, 2013 at 10:02 AM, Dag Wieers d...@wieers.com wrote:
Hi,
Another interesting recommendation from security is that all granted access
(that is exceptional, rather than permanent) should be limited in time from
the onset.
If this is not possible all granted access needs to be
On Fri, Jan 11, 2013 at 4:19 PM, Natxo Asenjo natxo.ase...@gmail.com wrote:
On Fri, Jan 11, 2013 at 3:51 PM, Rob Crittenden rcrit...@redhat.com wrote:
Natxo Asenjo wrote:
I just tried again to create a replica and had exactly the same error
as on the thread's first post.
in ipareplica
On Mon, Feb 4, 2013 at 9:33 AM, Rajnesh Kumar Siwal
rajnesh.si...@gmail.com wrote:
IPA client on CentOS 5.6 was not able to take care of it.)
that's why you should be using a config management tool like cfengine,
puppet, chef, ansible, ., (choose your poison).
Organizations usually have
On Thu, Jan 24, 2013 at 10:51 PM, KodaK sako...@gmail.com wrote:
I have a need to have certain mission critical application accounts
non-expiring (people don't log in directly, but if the accounts expire
it could stop production jobs.)
Without knowing anything about this particular case, could
On Tue, Jan 8, 2013 at 2:48 PM, Ondrej Kos o...@redhat.com wrote:
could you please provide more logs? I tried to set up same environment, with
sssd-1.8.0-32.el6.x86_64, and everything works fine, so you might be hitting
some race condition.
sure, I will send you debug 9 logs to your corporate
hi,
on a workstation *not* joined to the IPA domain but with the the ipa
admin tools installed I get this error when trying to modify dns
settings and I have a kerberos ticket of an admin user:
$ kinit user.ad...@unix.domain.tld
Password for user.ad...@unix.domain.tld
$ klist
Ticket cache:
On Mon, Jan 7, 2013 at 12:18 PM, Natxo Asenjo natxo.ase...@gmail.com wrote:
How could I troubleshoot this?
i have upped the debugging on sssd.conf
debug_level = 9
en reloaded sssd.
When I run
# getent netgroup nagios
nagios
[root@ipaclient01 ~]# grep -i nagios /var/log/sssd/*.log
/var/log
On Mon, Jan 7, 2013 at 1:07 PM, Jakub Hrozek jhro...@redhat.com wrote:
On Mon, Jan 07, 2013 at 12:18:12PM +0100, Natxo Asenjo wrote:
hi,
in sssd.conf I have this regarding netgroup caching info:
entry_cache_netgroup_timeout = 300
After the file was modified, the sssd daemon was reloaded
On Mon, Jan 7, 2013 at 8:20 PM, Jakub Hrozek jhro...@redhat.com wrote:
On Mon, Jan 07, 2013 at 03:55:49PM +0100, Natxo Asenjo wrote:
hi,
On Mon, Jan 7, 2013 at 3:20 PM, Jakub Hrozek jhro...@redhat.com wrote:
On Mon, Jan 07, 2013 at 01:17:21PM +0100, Natxo Asenjo wrote:
On Mon, Jan 7, 2013
hi,
On Thu, Dec 13, 2012 at 1:46 AM, Dmitri Pal d...@redhat.com wrote:
The holidays are coming. It is unlikely that we would be able to look
into it till Jan.
that is no problem at all, we have the same issues ;-)
Do you want me to keep the vm's around for troubleshooting the issue
when
hi,
On Wed, Dec 12, 2012 at 7:45 PM, Patrick Bakker patr...@vanbelle.com wrote:
I just joined this list because I was curious about the recent discussion
that Rashard Kelly had started about whether to use FreeIPA's integrated DNS
or whether to disable DNS. I'm wondering about a very similar
hi,
On Fri, Dec 7, 2012 at 4:28 PM, Rob Crittenden rcrit...@redhat.com wrote:
a bit late, but here is the output of /var/log/ipareplica-install.log
en /var/log/pki-ca/debug ; I did not find a
/var/log/ipaserver-install.log in the replica server.
The dogtag installer is failing with the
On Wed, Dec 5, 2012 at 3:29 PM, Simo Sorce s...@redhat.com wrote:
As a test to show why the cache is important do this:
1. Create a directory
2. create 100 files in this dirctory
3. chown each file to a different user and a different group each
4. stop sssd, wipe cache file and restart
5.
On Wed, Dec 5, 2012 at 3:11 PM, Jakub Hrozek jhro...@redhat.com wrote:
On Wed, Dec 05, 2012 at 02:20:40PM +0100, Natxo Asenjo wrote:
hi,
why would I want sssd to cache group/hostgroup/netgroup membership?
Is the performance hit so huge on the ldap servers?
I ask this because Windows admins
hi,
I have a 6.3 centos server that has been upgraded since 6.1. According
to the ipaserver-install.log, I installed it on feb 3 2012 so it has
been upgraded at least once.
Now that I have more hardware to run a few more vm's I can test
replicas. But apparently I am running into this problem:
hi,
I'm following the howto on
http://freeipa.org/page/Libvirt_with_VNC_Consoles to authenticate
users voor virsh with ipa.
I have it mostly working :-) except for the fact that libvirtd is not
respecting the sasl_allowed_username_list parameter.
If I do not set it, and I have a realm ticket,
Sorce wrote:
Hi Natxo,
On Fri, 2012-11-30 at 13:06 +0100, Natxo Asenjo wrote:
hi,
I'm following the howto on
http://freeipa.org/page/Libvirt_with_VNC_Consoles to authenticate
users voor virsh with ipa.
I have it mostly working :-) except for the fact that libvirtd is not
respecting
On Fri, Nov 30, 2012 at 4:04 PM, Daniel P. Berrange berra...@redhat.com wrote:
On Fri, Nov 30, 2012 at 03:56:14PM +0100, Natxo Asenjo wrote:
hi,
sasl_allowed_username_list = [ad...@ipa.example.com ]
if I leave this field commented out (default setting), everybody can
manage the kvm host
On Fri, Nov 30, 2012 at 4:52 PM, Simo Sorce s...@redhat.com wrote:
Natxo it sounds odd that you are getting back a non fully qualified
principal name, are you sure your configuration is using SASL/GSSAPI ?
What other directives have you configured ?
I have followed the howto in the
On Fri, Nov 30, 2012 at 4:20 PM, Daniel P. Berrange berra...@redhat.com wrote:
On Fri, Nov 30, 2012 at 04:16:56PM +0100, Natxo Asenjo wrote:
Thanks. If I may just hijack this thread: is it possible to whitelist
groups instead of individual users to use virsh/virtual manager?
I know sasl only
hi,
the default hbac rule 'allow_all' is nice for testing, but for a
production environment I am not so sure ;-)
We do not want our users getting a shell in our kdc servers or in the
database servers for instance. We want them to use the postgresql
service, but not login the database server with
hi,
On Wed, Nov 28, 2012 at 12:02 AM, Tim Wissman tim.wiss...@gmail.com wrote:
Folks - I have started using FreeIPA and have tried to download the Solaris
10 nss-ldap for the intel platform, but when i tried to save the file i
received an error saying the server had issues. I was able to
On Tue, Nov 20, 2012 at 9:28 AM, Petr Spacek pspa...@redhat.com wrote:
Hello,
On 11/19/2012 05:28 PM, Natxo Asenjo wrote:
On Mon, Nov 19, 2012 at 10:03 AM, Petr Spacek pspa...@redhat.com wrote:
Hello,
hi,
The log showed the root cause:
Dynamic Update is not allowed in zone
idnsname
hi, Qing
On Sat, Nov 17, 2012 at 8:20 PM, Qing Chang qch...@sri.utoronto.ca wrote:
2, Dovecot + IPA: it is not an IPA issue but sss cache timeout issue, I read
it's 90 min?
When a user changes his/her password, the cache usually is not updated,
hence
problem checking IMAP email with
hi,
this is a part of ipaclient-install.log
2012-11-16T12:12:32Z DEBUG Writing nsupdate commands to /etc/ipa/.dns_update.txt
:
zone ipa.domain.tld.
update delete host.ipa.domain.tld. IN SSHFP
send
update add host.ipa.domain.tld. 1200 IN SSHFP 1 1 904DA80AD2554ABEC354599E6876
89307F4ADCF3
update
hi,
when running getent negroup netgroupname I get old entries.
Apparently sssd is being helpful :-) and caching info, but it should
not do it when I am connected to the domain (IMHO).
According to
On Thu, Oct 25, 2012 at 9:11 PM, KodaK sako...@gmail.com wrote:
We have many different development groups, but people can be members
of multiple groups. For collaboration, they'd like it when creating a
file to have that file have a group ownership of foo on machine-A,
but bar on machine-B.
requirement as nobody would ever
think of it in Windows. Not happy w/ a traditional Unix permissions? Go for
ACLs.
The only pity is that the current Posix-draft hack widely used on all
Linuxes is a mess and Rich-acl support is still nowhere in sight :-(
Ondrej
On 10/26/2012 09:07 AM, Natxo
hi,
how can I unlock the admin password using ldap commands? I misstyped
the password using kinit a couple of times and now the account is
locked.
I have already changed the passwd using the command in
https://www.redhat.com/archives/freeipa-users/2011-May/msg00144.html,
but I still cannot login
On Thu, Oct 25, 2012 at 11:33 PM, Natxo Asenjo natxo.ase...@gmail.com wrote:
hi,
how can I unlock the admin password using ldap commands? I misstyped
the password using kinit a couple of times and now the account is
locked.
I have already changed the passwd using the command in
https
On Fri, Oct 12, 2012 at 8:06 PM, Rob Crittenden rcrit...@redhat.com wrote:
The FreeIPA team is proud to announce version FreeIPA v3.0.0.
It can be downloaded from http://www.freeipa.org/Downloads.
A build is on the way to updates-testing for Fedora 18. FreeIPA 3.0.0 works
well in Fedora 17
101 - 200 of 232 matches
Mail list logo
