Re: [Freeipa-users] Install best practice -

On Mon, May 30, 2016 at 7:14 AM, Ben .T.George wrote: > Hi > > thanks for the reply. > > "the easiest would be to create a zone and delegating that to the ipa > hosts. No other change necessary." > > can you explain little more. You mean need to create separate DNS zone ? > > create a zone in you

Re: [Freeipa-users] freeipa and NAS

On Tue, Jun 28, 2011 at 6:35 PM, Sigbjorn Lie wrote: > In my NexentaStor configuration, the NFS service is using FreeIPA > (nss_ldap+krb5), and the CIFS > service is using Active Directory (nss_ad) for user authentication. that is awesome! Could you write an instruction of how you did that? Nex

Re: [Freeipa-users] Reinstalling a host without deleting

On Tue, Nov 15, 2011 at 12:40 AM, Dan Scott wrote: > Hi, > > Is there a 'nice' way to reinstall a host? i.e. The host has already > been installed in FreeIPA and for whatever reason I need to reinstall > the OS, so I have a clean system and the host is already enrolled on > the server. > > ipa-cli

Re: [Freeipa-users] Reinstalling a host without deleting

On Tue, Nov 15, 2011 at 2:38 PM, Simo Sorce wrote: > On Tue, 2011-11-15 at 08:33 -0500, Dan Scott wrote: >> Hi, >> >> On Tue, Nov 15, 2011 at 07:07, Natxo Asenjo wrote: >> > On Tue, Nov 15, 2011 at 12:40 AM, Dan Scott >> > wrote: >> >> Hi, &g

Re: [Freeipa-users] Solaris 10 as IPA Client?

On Mon, Dec 5, 2011 at 10:05 PM, Steven Jones wrote: > Hi > > 8>< > > What you need is some knowledge of LDAP, and to work with your vendors > to figure out how they should be configured to work with IPA. > > 8><--- > Funny but I thought a goal of IPA was to make this easierso you

[Freeipa-users] dns delegated zone issue

hi, for 'historical' reasons, I have a working dns zone in my lan, say example.com. In this zone, I have delegated an ipa.example.com zone for ipa. I have setup freeipa (homelab, SL 6.1 with version ipa-server-2.0.0-23.el6.i686) and it works, I have a server and a client (kdc.ipa.example.com and

Re: [Freeipa-users] dns delegated zone issue

On Fri, Dec 9, 2011 at 1:55 AM, Simo Sorce wrote: >> If I login using a fqdn instead of the simple one, then it works. The >> funny thing is, I can use the simple dns name to login the kdc server. >> Why? > > Not sure why it work on your kdc, perhaps you have entries in /etc/hosts that > resolve

Re: [Freeipa-users] Dovecot IMAP with IPA 2.x?

On Fri, Feb 3, 2012 at 8:31 AM, Dale Macartney wrote: > I have been experimenting with how best to address this, however I am > constantly being pushed back to the only way of having a userdir that > actually exists would be a homdir which would be created when a user > first logs in. > > Yes, if

Re: [Freeipa-users] Dovecot IMAP with IPA 2.x?

On Fri, Feb 3, 2012 at 9:02 AM, Natxo Asenjo wrote: > On Fri, Feb 3, 2012 at 8:31 AM, Dale Macartney > wrote: > >> I have been experimenting with how best to address this, however I am >> constantly being pushed back to the only way of having a userdir that >> actual

[Freeipa-users] automount questions

hi, First question: according to the docs in http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/configuring-automount.html#Configuring_Automount-Configuring_autofs_on_Linuxwhen configuring autofs you can choose to enter LDAP_URI in two ways, the lazy on (+1

Re: [Freeipa-users] automount questions

On Mon, Mar 12, 2012 at 9:34 AM, Ondrej Valousek wrote: > Your LDAP_URI is incorrect. Please make sure you follow the documentation > exactly. > Perhaps you actually wanted to say: > > LDAP_URI="ldap:///dc=ipa,dc=domain,dc=nx"; > argh, you're right. But .. if I do not specify a ldap search base

[Freeipa-users] mobile users questions

hi, How are you folks coping with mobile (laptop) users and their homedirs? Is there something like the offline files voor Windows networks? I found a patch for rsync (http://jrds.fr/rsynck) that kerberizes the rsyncd daemon. Has anybody experience with it? Is the patch upstream? This could be us

[Freeipa-users] http service keytab for cname virtual host

hi, enable a kerberized site with the fqdn is very easy with freeipa but we would like to use virtual hosting and kerberized sites. I have joined a host webserver01.ipa.domain.tld to a ipa realm. I then created a spn HTTP/webserver01.ipa.domain.tld, generated the keytab, configured the apache web

Re: [Freeipa-users] http service keytab for cname virtual host

On Wed, Mar 28, 2012 at 11:36 PM, Simo Sorce wrote: > > CNAMEs should work just fine with the host's HTTP/A-name@REALM key. > In fact I just tested a virtual host on my ipa server using a cname and > it worked. > great! > Can you post your (sanitized) mod_auth_kerb configuration ? > Also what

Re: [Freeipa-users] http service keytab for cname virtual host

On Thu, Mar 29, 2012 at 8:25 PM, Simo Sorce wrote: > Your configuration looks right, but I went back and looked at your logs > and I saw a permission denied error. > > I would check that the apache user can access the keytab > file: /etc/httpd/conf/webserver01_http.keytab > If you are using RHEL/

Re: [Freeipa-users] Replication status

On Mon, May 21, 2012 at 3:21 PM, Rich Megginson wrote: > On 05/21/2012 07:13 AM, Dan Scott wrote: > >> >> > https://fedorahosted.org/**freeipa/ticket/2770 >> >> I've modified the nagios perl script that I got from: >> >> http://directory.**fedoraproj

[Freeipa-users] howto: mediawiki + IPA

hi, This is work in progress but maybe useful for someone. http://test.asenjo.nl/index.php/Mediawiki_ipa (feel free to use it for the freeipa.org wiki, I consider it public domain). -- Groeten, natxo ___ Freeipa-users mailing list Freeipa-users@redhat.

Re: [Freeipa-users] howto: mediawiki + IPA

On Fri, Jun 8, 2012 at 12:37 PM, Ondrej Hamada wrote: > On 06/08/2012 10:16 AM, Natxo Asenjo wrote: > > hi, > > This is work in progress but maybe useful for someone. > > http://test.asenjo.nl/index.php/Mediawiki_ipa > > (feel free to use it for the freeipa.org

Re: [Freeipa-users] eJabberd authentication with FreeIPA via LDAP with Group member validation

On Thu, Jun 14, 2012 at 12:54 PM, Dale Macartney wrote: > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > I've just placed another wiki article for adding Jabber services to IPA. > This is a work in progress as I'm aiming for SSO ability, but thought > someone might find it useful in the int

[Freeipa-users] xmpp/jabber SSO with freeipa

hi, After some initial troubles (thanks rcrit on irc) I got this to work nicely. I have used the openfire http://www.igniterealtime.org/projects/openfire/index.jsp xmpp/jabber server. Instructions here: http://test.asenjo.nl/index.php/Openfire_ipa -- Groeten, natxo _

Re: [Freeipa-users] xmpp/jabber SSO with freeipa

On Sun, Jun 17, 2012 at 3:27 PM, Simo Sorce wrote: > On Sat, 2012-06-16 at 23:45 +0200, Natxo Asenjo wrote: > > hi, > > > > After some initial troubles (thanks rcrit on irc) I got this to work > > nicely. I have used the openfire > > http://www.igniterealtime.org

Re: [Freeipa-users] kerberos principals for service accounts (cn=etc, cn=sysaccounts)

On Tue, Jun 19, 2012 at 6:54 PM, Simo Sorce wrote: > Yes with IPA you can use service principals to initiate context w/o > problems. That's why I suggested you use a service principal. > AD has a limitation that you must use an actual user to initiate a > context, that may be where the suggestio

Re: [Freeipa-users] Request for comments - Apache SNI via IPA with kerberos authentication

On Tue, Jun 19, 2012 at 2:04 PM, James Hogarth wrote: > Hi all, > > As mentioned on IRC today I've finished my write up of using Apache > with SNI and kerberos authentication with an IPA backend > > I'd be interested in any feedback: > > http://freeipa.org/page/Apache_SNI_With_Kerberos > nice

[Freeipa-users] rfe: ldap for dhcp

hi, recently it was brought to my attendtion that isp-dhcpd version 4.2 supports getting its database information from ldap. Earlier versions support it as well with a patch. It would be awesome if this could be integrated in IPA. I am aware you guys have your hands full with plenty of stuff, bu

Re: [Freeipa-users] rfe: ldap for dhcp

On Tue, Jun 26, 2012 at 3:13 PM, Stephen Gallagher wrote: > On Tue, 2012-06-26 at 15:02 +0200, Natxo Asenjo wrote: > > hi, > > > > recently it was brought to my attendtion that isp-dhcpd version 4.2 > > supports getting its database information from ldap. Earlier vers

[Freeipa-users] kdc on the internet

hi, Is it 'safe' to use ipa on the internet? My feeling is its, I mean, kerberos is meant for untrusted networks. What are your thoughts about this? What ports should of the kdc *not* be accessible? -- Groeten, natxo ___ Freeipa-users mailing list Fr

[Freeipa-users] nfs4 acl

hi, I followed the instructions here http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/kerb-nfs.htmland they worked flawlessly. Is it possible to use acls on nfs4 with a rhel 6 nfs server? if that is not possible, is it possible to use a netapp file as nf

Re: [Freeipa-users] nfs4 acl

On Sun, Jul 1, 2012 at 10:39 PM, wrote: > In fact, Netapp is (sadly to say) the only NFSv4 server in the whole world > that can provide you with a true NFSv4 ACLs (remember to turn them on > using options nfs.v4.acl = on). > The nasty hack Rob mentioned will only provide you with POSIX Acls mappe

[Freeipa-users] hostgroups/netgroups

hi, I just wanted to say: awesome! Without using the NIS compatibility layer, I just create a hostgroup, fill it in with hosts. Then I add that hostgroup to a netgroup. That's all I need to automagically create classes our cfengine setup can use to distribute policies accross the hosts. You guys

Re: [Freeipa-users] sudo hostgroup sanity check, please?

On Tue, Jul 10, 2012 at 10:16 PM, KodaK wrote: > On Tue, Jul 10, 2012 at 2:56 PM, Dmitri Pal wrote:> > > Do you see host netgroup coming over to the system when you enumerate > > netgroups? > > I don't know how to do this at the command line. I'm googling for it. > The only thing I'm even va

Re: [Freeipa-users] Desperate help requested.

On Sun, Aug 26, 2012 at 6:05 AM, KodaK wrote: > I've just been informed by my boss's boss's boss that, and I quote > from his ridiculous email: > > "we cannot use anything other than MS AD for authentication" > > I've spent months of time and much effort rolling out IPA, > consolidating authentic

Re: [Freeipa-users] openindiana ldap client

On Sun, Sep 2, 2012 at 6:58 PM, Sigbjorn Lie wrote: > On 09/02/2012 04:37 PM, Natxo Asenjo wrote: > > One thing I have not yet gotten to work is that these changes are not > persistent accross reboots. The ldapclient config stays, but the service > ldap/client does not start

Re: [Freeipa-users] openindiana ldap client

On Sun, Sep 2, 2012 at 9:20 PM, Sigbjorn Lie wrote: > > Thank for your tips. I think there might just be something broken with > the ldap/client service in openindiana. This DUAProfile thing is really > nice to use > > > Agreed, it sounds like a bug in OpenIndiana. > > That's odd. A service beco

Re: [Freeipa-users] time limiting users

On Tue, Sep 4, 2012 at 11:18 PM, Steven Jones wrote: > Is it possible to limit when users can login? > > of course, pam + time (see https://www.google.com/search?q=pam%20time, the first result looked good on first sight if I recall it correctly). It would be nice to have this functionality in ip

[Freeipa-users] netapp filer AD + ipa: possible?

hi, the subject says it all, I guess. I know from another thread that with nexanta it is possible using nsswitch.conf, but I was wondering if somene (Siggi :-) ? ) has (had) this setup working. -- Groeten, natxo ___ Freeipa-users mailing list Freeipa-

Re: [Freeipa-users] openindiana ldap client

On Sun, Sep 2, 2012 at 9:57 PM, Natxo Asenjo wrote: > On Sun, Sep 2, 2012 at 9:20 PM, Sigbjorn Lie wrote: > >> >> Thank for your tips. I think there might just be something broken with >> the ldap/client service in openindiana. This DUAProfile thing is really >> n

Re: [Freeipa-users] netapp filer AD + ipa: possible?

On Thu, Sep 6, 2012 at 10:31 PM, Sigbjorn Lie wrote: > On 09/05/2012 08:12 PM, Natxo Asenjo wrote: > > hi, > > the subject says it all, I guess. > > I know from another thread that with nexanta it is possible using > nsswitch.conf, but I was wondering if somene (Siggi

Re: [Freeipa-users] netapp filer AD + ipa: possible?

On Fri, Sep 7, 2012 at 1:33 PM, Ondrej Valousek wrote: > That is actually the main benefit of the 'ldap.ADdomain' parameter. It > will allow you to simplify configuration and allows easy load > balancing/failover functionality. > We are paying for NetApp support, too so if anyone is going to bug

Re: [Freeipa-users] Stale NFS file handle

On Wed, Sep 12, 2012 at 8:26 PM, george he wrote: > Hello, > My ipa server and my nfs server are the same machine running centos 6.3. > try to separate those roles if you can. You can use vm's, it'll work great. > The server was accidentally down and rebooted. > But then I got "authentication

Re: [Freeipa-users] winsync agreement wipes IPA users

On Wed, Sep 26, 2012 at 5:46 AM, Rob Crittenden wrote: > > Steven Jones wrote: >> >> Hi, >> >> I dont have a ldapmodify command for changing something in AD. >> >> I have increased the only scope I/we know about which is the return of >> objects from a search inside the AD gui but that might be s

Re: [Freeipa-users] Announcing FreeIPA v3.0.0 Release

On Fri, Oct 12, 2012 at 8:06 PM, Rob Crittenden wrote: > The FreeIPA team is proud to announce version FreeIPA v3.0.0. > > It can be downloaded from http://www.freeipa.org/Downloads. > > A build is on the way to updates-testing for Fedora 18. FreeIPA 3.0.0 works > well in Fedora 17 but we will not

[Freeipa-users] how to unlock an account from ldap

hi, how can I unlock the admin password using ldap commands? I misstyped the password using kinit a couple of times and now the account is locked. I have already changed the passwd using the command in https://www.redhat.com/archives/freeipa-users/2011-May/msg00144.html, but I still cannot login

Re: [Freeipa-users] how to unlock an account from ldap

On Thu, Oct 25, 2012 at 11:33 PM, Natxo Asenjo wrote: > hi, > > how can I unlock the admin password using ldap commands? I misstyped > the password using kinit a couple of times and now the account is > locked. > > I have already changed the passwd using the command in >

Re: [Freeipa-users] Different primary group on different machines.

On Thu, Oct 25, 2012 at 9:11 PM, KodaK wrote: > We have many different development groups, but people can be members > of multiple groups. For collaboration, they'd like it when creating a > file to have that file have a group ownership of "foo" on machine-A, > but "bar" on machine-B. I'd like

Re: [Freeipa-users] Different primary group on different machines.

rement as nobody would ever > think of it in Windows. Not happy w/ a traditional Unix permissions? Go for > ACLs. > The only pity is that the current Posix-draft hack widely used on all > Linuxes is a mess and Rich-acl support is still nowhere in sight :-( > > Ondrej > > On

[Freeipa-users] failure to register dns on joining IPA domain

hi, this is a part of ipaclient-install.log 2012-11-16T12:12:32Z DEBUG Writing nsupdate commands to /etc/ipa/.dns_update.txt : zone ipa.domain.tld. update delete host.ipa.domain.tld. IN SSHFP send update add host.ipa.domain.tld. 1200 IN SSHFP 1 1 904DA80AD2554ABEC354599E6876 89307F4ADCF3 update a

[Freeipa-users] sssd cache

hi, when running getent negroup I get old entries. Apparently sssd is being helpful :-) and caching info, but it should not do it when I am connected to the domain (IMHO). According to https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/sssd-cache.htm

Re: [Freeipa-users] sssd cache

On Fri, Nov 16, 2012 at 2:52 PM, Natxo Asenjo wrote: > hi, > > when running getent negroup I get old entries. > Apparently sssd is being helpful :-) and caching info, but it should > not do it when I am connected to the domain (IMHO). > > According to > https://access.r

Re: [Freeipa-users] sssd cache

On Fri, Nov 16, 2012 at 3:00 PM, Stephen Gallagher wrote: > Two points here. 1) sss_cache is moving to the main package in RHEL 6.4, so > you won't have to install the separate sssd-tools package for it. 2) You > might also look at the manpage for entry_cache_netgroup_timeout. If you want > to ha

Re: [Freeipa-users] IPA weirdness with Samba, Dovecot IMAP and SSHD

hi, Qing On Sat, Nov 17, 2012 at 8:20 PM, Qing Chang wrote: > 2, Dovecot + IPA: it is not an IPA issue but sss cache timeout issue, I read > it's 90 min? > When a user changes his/her password, the cache usually is not updated, > hence > problem checking IMAP email with new password. >

Re: [Freeipa-users] failure to register dns on joining IPA domain

On Tue, Nov 20, 2012 at 9:28 AM, Petr Spacek wrote: > Hello, > > > On 11/19/2012 05:28 PM, Natxo Asenjo wrote: >> >> On Mon, Nov 19, 2012 at 10:03 AM, Petr Spacek wrote: >>> >>> Hello, >> >> >> hi, >> >>> The log sh

Re: [Freeipa-users] Solaris 10 and Solaris 11 clients

hi, On Wed, Nov 28, 2012 at 12:02 AM, Tim Wissman wrote: > > Folks - I have started using FreeIPA and have tried to download the Solaris > 10 nss-ldap for the intel platform, but when i tried to save the file i > received an error saying the server had issues. I was able to download the > SPARC p

[Freeipa-users] libvirt with vnc freeipa

hi, I'm following the howto on http://freeipa.org/page/Libvirt_with_VNC_Consoles to authenticate users voor virsh with ipa. I have it mostly working :-) except for the fact that libvirtd is not respecting the sasl_allowed_username_list parameter. If I do not set it, and I have a realm ticket, th

Re: [Freeipa-users] [libvirt-users] libvirt with vnc freeipa

o Sorce wrote: >> Hi Natxo, >> >> On Fri, 2012-11-30 at 13:06 +0100, Natxo Asenjo wrote: >> > hi, >> > >> > I'm following the howto on >> > http://freeipa.org/page/Libvirt_with_VNC_Consoles to authenticate >> > users voor virsh with ipa

Re: [Freeipa-users] [libvirt-users] libvirt with vnc freeipa

On Fri, Nov 30, 2012 at 4:04 PM, Daniel P. Berrange wrote: > On Fri, Nov 30, 2012 at 03:56:14PM +0100, Natxo Asenjo wrote: >> hi, >> >> sasl_allowed_username_list = ["ad...@ipa.example.com" ] >> >> if I leave this field commented out (default setting), e

Re: [Freeipa-users] [libvirt-users] libvirt with vnc freeipa

On Fri, Nov 30, 2012 at 4:52 PM, Simo Sorce wrote: > Natxo it sounds odd that you are getting back a non fully qualified > principal name, are you sure your configuration is using SASL/GSSAPI ? > > What other directives have you configured ? I have followed the howto in the freeipa.org wiki. I

Re: [Freeipa-users] [libvirt-users] libvirt with vnc freeipa

On Fri, Nov 30, 2012 at 4:20 PM, Daniel P. Berrange wrote: > On Fri, Nov 30, 2012 at 04:16:56PM +0100, Natxo Asenjo wrote: >> Thanks. If I may just hijack this thread: is it possible to whitelist >> groups instead of individual users to use virsh/virtual manager? >> >

[Freeipa-users] RFE: default hbac is too open

hi, the default hbac rule 'allow_all' is nice for testing, but for a production environment I am not so sure ;-) We do not want our users getting a shell in our kdc servers or in the database servers for instance. We want them to use the postgresql service, but not login the database server with

[Freeipa-users] error adding replica

hi, I have a 6.3 centos server that has been upgraded since 6.1. According to the ipaserver-install.log, I installed it on feb 3 2012 so it has been upgraded at least once. Now that I have more hardware to run a few more vm's I can test replicas. But apparently I am running into this problem: ht

Re: [Freeipa-users] sssd cache

On Wed, Dec 5, 2012 at 3:11 PM, Jakub Hrozek wrote: > On Wed, Dec 05, 2012 at 02:20:40PM +0100, Natxo Asenjo wrote: >> hi, >> >> why would I want sssd to cache group/hostgroup/netgroup membership? >> >> Is the performance hit so huge on the ldap servers? >&g

Re: [Freeipa-users] sssd cache

On Wed, Dec 5, 2012 at 3:29 PM, Simo Sorce wrote: > As a test to show why the cache is important do this: > > 1. Create a directory > 2. create 100 files in this dirctory > 3. chown each file to a different user and a different group each > 4. stop sssd, wipe cache file and restart > 5. do a ls -

Re: [Freeipa-users] DNS: sub-domain or new domain

hi, On Wed, Dec 12, 2012 at 7:45 PM, Patrick Bakker wrote: > I just joined this list because I was curious about the recent discussion > that Rashard Kelly had started about whether to use FreeIPA's integrated DNS > or whether to disable DNS. I'm wondering about a very similar thing. I have > a b

Re: [Freeipa-users] error adding replica

hi, On Fri, Dec 7, 2012 at 4:28 PM, Rob Crittenden wrote: >> a bit late, but here is the output of /var/log/ipareplica-install.log >> en /var/log/pki-ca/debug ; I did not find a >> /var/log/ipaserver-install.log in the replica server. > > > The dogtag installer is failing with the error "The pkc

Re: [Freeipa-users] error adding replica

hi, On Thu, Dec 13, 2012 at 1:46 AM, Dmitri Pal wrote: >> > The holidays are coming. It is unlikely that we would be able to look > into it till Jan. that is no problem at all, we have the same issues ;-) Do you want me to keep the vm's around for troubleshooting the issue when there is time?

Re: [Freeipa-users] FreeIPA and Samba 4

On Mon, Dec 17, 2012 at 8:58 PM, Steven Santos wrote: > I know this may be a loaded question, but I am asking it anyways. > > Can anyone tell me what the current status and future plan for IPA / Samba 4 > is? probably the same as with AD: cross realm trusts. -- groet, natxo ___

Re: [Freeipa-users] sudo made a bit easier to configure

On Thu, Dec 20, 2012 at 4:43 PM, Han Boetes wrote: > Hi, > > I discovered that using this recipe makes setting up sudo-ldap very simple. > Even when anonymous binds is disabled. Thanks! I have not yet used sudo with IPA, but it sure is in the pipeline and this comes in handy ;-) > URI ldap://aut

<    1   2   3