Thanks to both of you for the interest.
Here`s the info you asked:
1. Putting debug_level = 7 either in [domain] or/and [nss] section of
the /usr/local/etc/sssd/sssd.conf file gives nothing in the log. The log
file located at /var/log/sssd/sssd.log is only populated with data when
I make some
With help from Alexander Bokovoy I found correct log destinations:
sssd-domain-log:
https://cloud.mail.ru/public/1e803a00989e%2Fsssd_eurosel.az.log
sssd-nss-log: https://cloud.mail.ru/public/ae41ae3b44b6%2Fsssd_nss.log
These files are from my second Fedora - FreeBSD setup, they have
domain name, but everything else is identical.
Interestingly enough, there are lines in sssd_nss.log telling that there
are no users or groups in the domain. But as I said, I can ssh to the
IPA server as an IPA user.
14-Oct-14 10:23, Orkhan Gasimov пишет:
Thanks to both of you for the interest
option, as the
server complained about the host not having a DNS A record (I don`t run
DNS server on IPA server).
14-Oct-14 12:48, Fraser Tweedale пишет:
On Tue, Oct 14, 2014 at 12:34:09PM +0500, Orkhan Gasimov wrote:
With help from Alexander Bokovoy I found correct log destinations:
sssd-domain
Slebodnik пишет:
On (14/10/14 10:23), Orkhan Gasimov wrote:
Thanks to both of you for the interest.
Here`s the info you asked:
1. Putting debug_level = 7 either in [domain] or/and [nss] section of the
/usr/local/etc/sssd/sssd.conf file gives nothing in the log. The log file
located at /var/log/sssd
a DNS
server to facilitate FreeIPA client-server interaction? Or there`s a way
to do it with just 2 VMs and no DNS server?
14-Oct-14 12:50, Alexander Bokovoy пишет:
On Tue, 14 Oct 2014, Orkhan Gasimov wrote:
With help from Alexander Bokovoy I found correct log destinations:
sssd-domain
I`ll try such a test setup, then share information about results.
14-Oct-14 15:04, Petr Spacek пишет:
On 14.10.2014 11:49, Orkhan Gasimov wrote:
I suspected that problems could arise with DNS, and here they are...
In fact, this entire string: ipa_server = _srv_ #our FreeIPA server
has DNS
.
Please don`t hesitate to explain a little clearer.
14-Oct-14 16:29, Petr Spacek пишет:
On 14.10.2014 11:49, Orkhan Gasimov wrote:
I suspected that problems could arise with DNS, and here they are...
In fact, this entire string: ipa_server = _srv_ #our FreeIPA server
has DNS
SRV entries
installation command?
Yes, I know - this is a question Homer Simpson would ask.
14-Oct-14 17:43, Petr Spacek пишет:
On 14.10.2014 13:48, Orkhan Gasimov wrote:
I need further assistance with this moment:
specify IPA domain name which is sub-domain of you existing domain
(e.g.
ipa.eurosel.az
, Orkhan Gasimov wrote:
So which way do I go?
1) Change the server VM`s hostname from ipa1.eurosel.az to
ipa1.ipa.eurosel.az prior to issuing IPA installation command
2) or leave my hostname and contents of /etc/hosts file intact and
specify a
different FQDN and domain part of the IPA server
, Lukas Slebodnik wrote:
On (14/10/14 17:48), Fraser Tweedale wrote:
On Tue, Oct 14, 2014 at 12:34:09PM +0500, Orkhan Gasimov wrote:
With help from Alexander Bokovoy I found correct log destinations:
sssd-domain-log:
https://cloud.mail.ru/public/1e803a00989e%2Fsssd_eurosel.az.log
sssd-nss-log
%2Fkrb5_child.log
ldap_child.log: https://cloud.mail.ru/public/d9b0b1eb0da6%2Fldap_child.log
sssd_log: https://cloud.mail.ru/public/d4032b8e6645%2Fsssd.log
16-Oct-14 14:57, Lukas Slebodnik пишет:
On (16/10/14 13:04), Orkhan Gasimov wrote:
OK, back to FreeIPA - FreeBSD setup.
I changed my setup: instead of 2 VMs
of hours to:
1) check everything he advised on a blank setup with VMs;
2) provide more details about correct sequence of actions.
Any help will be highly appreciated!
16-Oct-14 15:13, Orkhan Gasimov пишет:
Please excuse me for that silly typo in the letter. The typo doesn`t
exist either in /etc
anything about such a file. I'll do some more checks and share the
results here.
16-Oct-14 18:23, Orkhan Gasimov пишет:
Here`s what I have at the end of the day after various checks.
SSH-ing as existing IPA user rsiwal to my FreeBSD client fails.
The same user can SSH or locally login to my Linux
This idea is great, it would be invaluable for many people trying to
integrate FreeBSD with FreeIPA. Currently there's only one post about
this at FreeBSD forums, but it's not detailed and tells nothing about
many cavets of the process.
You would have helped a lot of people to avoid
Unfortunately, putting that line in /etc/pam.d/system prevents me from
being able to locally login to the BSD client.
At the same time, the same line in /etc/pam.d/sshd or /etc/pam.d/login
doesn't give unexpected behaviours.
Bug, bug, bug...
17-Oct-14 14:15, Lukas Slebodnik пишет:
I would
that as a result
of all this effort a well-detailed tutorial could be written and shared
with all *nix users.
17-Oct-14 16:17, Martin Kosek пишет:
On 10/17/2014 01:01 PM, Orkhan Gasimov wrote:
That format is not simple for me, as I'm not a programmer. But after I check,
double-check and triple-check
I found another solution (currently checked it only for adding/deleting
a sudo rule for a user, and also enabling/disabling a user) - add to the
[domain] section of the sssd.conf file: entry_cache_timeout = 5.
17-Oct-14 16:39, Lukas Slebodnik пишет:
sssd uses few levels of caches. If you
of
information in it will help people to avoid great deal of frustration.
20-Oct-14 13:01, Lukas Slebodnik пишет:
On (19/10/14 08:45), Orkhan Gasimov wrote:
2. About my pam.d files - please read carefully my previous posts.
I commented out the line in pam.d - system and added it explicitly to
You
Great news!
If I understand correctly, a package can be equivalent to several ports?
If this is correct, then could a composite package be built to include
all necessary ports?
* _security/sssd_ http://www.freshports.org/security/sssd
* _security/sudo_
I already deployed FreeIPA 4.1 on Fedora 21 server alpha-release.
Everything is good as far as FreeIPA server operation is concerned.
23-Oct-14 01:06, William Graboyes пишет:
3) am I insane for wanting to introduce FC21 into my environment?
--
Manage your subscription for the Freeipa-users
/netgroup. We run the
script every hour viacron.
The script looks for host groups in
'cn=hostgroups,cn=accounts,dc=domain', and that works with FreeIPA
3.3. But in FreeIPA v4 host groups get in 'cn=ng,cn=compat,dc=domain'.
So the script needs modification.
23-Oct-14 12:09, Orkhan Gasimov
: Specified Services and Groups - ANY SERVICE
Is this the correct behavior? I don't remember anything like this in
FreeIPA 3.3.
23-Oct-14 15:21, Orkhan Gasimov пишет:
Yet with FreeIPA v4 we've got another thing to keep in mind regarding
FreeBSD - FreeIPA integration: the cron script proposed
Very interesting!
You're right, I used simple ldapsearch -x command on the client when
browsing the LDAP database. With IPA 3.3 it returned a whole lot of info about
hostgroups, but with IPA 4.1 - only a single string 'cn=ng,cn=compat,$SUFFIX'.
That's why current script didn't work.
Tomorrow
You could ease everything by creating 2 files: FreeIPA.conf and FreeIPA.pem,
uploading them to Web and sharing links to them. FreeBSD users could the use
the fetch command to download and use your files.
Отправлено от Blue Mail
На 5:36, 24.10.2014, в 5:36, Fraser Tweedale ftwee...@redhat.com
Awesome, it worked!
Just one final question: how to make that script search not only in
ipa1.example.com's LDAP database, but also in ipa2.example.com's LDAP in
case ipa1 is inaccessible? It's vital for a production environment!
I tried copying the whole section of code from ldapsearch ...
Thanks, this option worked in that script!
24-Oct-14 12:43, Alexander Bokovoy пишет:
You can specify multiple servers yourself too as
-H ldap://ipa1.example.com ldap://ipa2.example.com
ldap://ipa3.example.com;
--
Manage your subscription for the Freeipa-users mailing list:
OK, thanks for info.
First I used that command with | grep radius at the end prior to
adding my radiusschema.ldif.
It returned no data.
Then I added my radiusschema.ldif using the command:
# ldapmodify -ZZ -x -D cn=Directory Manager -W -H ldap://localhost
-f /usr/share/radiusschema.ldif
, it's necessary to
repeat this part:
dn: cn=schema
changetype: modify
before this part:
add: objectclasses
After that everything proceeds normally, and it's possible to add
radiusprofile objectclass to default user objectclasses.
28-Oct-14 15:43, Orkhan Gasimov пишет:
OK, thanks for info
One last question: if I'm using 2 FreeIPA servers in a multi-master
replication scenario, should I add the radiusschema.ldif file on both
servers? Or it's sufficient to add it on just one server?
29-Oct-14 09:50, Orkhan Gasimov пишет:
I solved the problem.
I tried to add my radiusschema.ldif
I checked myself on test VMs.
It's enough to add Radius schema to one FreeIPA server and issue ipactl
restart on another.
29-Oct-14 10:16, Orkhan Gasimov пишет:
One last question: if I'm using 2 FreeIPA servers in a multi-master
replication scenario, should I add the radiusschema.ldif file
31 matches
Mail list logo