Re: [Freeipa-users] DNS and $GENERATE Directive

On 10.11.2014 09:25, Martin Kosek wrote: > On 11/08/2014 12:16 AM, Andrew Powell wrote: >> Is there a way to add a Bind $GENERATE directive line to FreeIPA to >> automatically name DHCP-assigned ranges? >> >> In a file-based Bind installation, I can have the following line in the >> forward >> exa

Re: [Freeipa-users] FreeIPA unresponsive - Causes DOS situations

On 11.11.2014 13:13, Walter van Lille wrote: > SASL encrypted packet length exceeds > maximum allowed limit Martin, do you remember where is the appropriate knob? -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-us

Re: [Freeipa-users] FreeIPA Kerberos and Single-DES for OpenAFS

On 13.11.2014 02:17, Simo Sorce wrote: > On Wed, 12 Nov 2014 15:54:14 +0100 > Andreas Ladanyi wrote: > >> Hi, >> >> I set up the 389 LDAP server to support des-cbc-crc enctype. >> >> I created a principal for OpenAFS. OpenAFS need des-cbc-crc:v4 >> (single-DES). I created the principal with: >> >

Re: [Freeipa-users] Free ipa Configurations

On 18.11.2014 09:54, Rolf Nufable wrote: > Hello all I have a question regarding the log in in IPA > well I didn't expect this to happen since last week all installation went > smoothly and the adding of the clients as well but now I have another > problem. > My first problem was ntp/ntpdate was

Re: [Freeipa-users] Freeipa Forwarders

On 20.11.2014 08:18, Rolf Nufable wrote: > I have a quick question Do I need to configure the forwarders of > freeipa-server 4.1.1 when doing the freeipa-install-server? This is *necessary* only if you have some internal DNS zones which are not resolvable using public DNS infrastructure. In all ot

Re: [Freeipa-users] Setting up a Kerberized IMAP Server.

On 24.11.2014 13:56, Maria Jose Yañez Dacosta wrote: > Hi!, > > I'm installing a Zimbra server to authenticate using SSO against FreeIPA. > When when trying to access I'm getting an error which makes me think that > probably I forget set something else in FreeIPA configuration. > > Because I'm a

Re: [Freeipa-users] Setting up a Kerberized IMAP Server.

On 24.11.2014 17:45, Maria Jose Yañez Dacosta wrote: > Thank you for your prompt reply :). > > I still don't discover what caused the problem, but now I could get more > information about the problem. > > I run the command that you commented me, I did as follows: > > - kinit usuipa > - kvno imap

[Freeipa-users] Kerberos error: PREAUTH_FAILED: KRB5KRB_AP_ERR_BAD_INTEGRITY

it is more specific >> than "Re: Contents of Freeipa-users digest..." >> >> >> Today's Topics: >> >>1. Re: Is it possible to set up SUDO with redudancy? >> (Lukas Slebodnik) >>2. Re: Setting up a Kerberized IMAP Server.

Re: [Freeipa-users] Freeipa-users Digest, Vol 76, Issue 111

w.redhat.com/mailman/listinfo/freeipa-users >>> or, via email, send a message with subject or body 'help' to >>> freeipa-users-requ...@redhat.com >>> >>> You can reach the person managing the list at >>> freeipa-users-ow...@redhat.com &

Re: [Freeipa-users] DNS configuration

On 2.12.2014 17:36, Martin Basti wrote: > On 02/12/14 17:28, Matthew Herzog wrote: >> I just realized that my IPA servers cannot resolve ANY servers in my domain. >> What do I need to do to fix this? Below is my named.conf. >> >> >> options { >> // turns on IPv6 for port 53, IPv4 is on by d

[Freeipa-users] Announcing bind-dyndb-ldap version 6.1

The FreeIPA team is proud to announce bind-dyndb-ldap version 6.1. It can be downloaded from https://fedorahosted.org/released/bind-dyndb-ldap/ The new version has also been built for Fedora 21+ and and is on its way to updates-testing: https://admin.fedoraproject.org/updates/bind-dyndb-ldap-6.1-

Re: [Freeipa-users] DNS configuration

As Dmitri said, the architecturally correct solution is to decide if you want to use FreeIPA DNS or not. You have option to either remove non-FreeIPA DNS servers and import data to FreeIPA or to add FreeIPA-specific DNS records to existing DNS servers and do not configure FreeIPA to act as DNS serv

Re: [Freeipa-users] strange replica install error (another one)

On 4.12.2014 05:02, Janelle wrote: > Thanks -- still a bit strange that it did not show up on some servers - vary > random and intermittent. > > BTW - a bit of information others might find useful. If you try to use the > "LDAP" portion of IPA for authentication - rather than fulling installing t

Re: [Freeipa-users] Cross-Realm authentification

On 4.12.2014 12:07, Alexander Bokovoy wrote: > On Thu, 04 Dec 2014, Andreas Ladanyi wrote: >> Am 03.12.2014 um 14:53 schrieb Alexander Bokovoy: >>> On Wed, 03 Dec 2014, Andreas Ladanyi wrote: Hi, iam trying to setup a cross-realm relationship. Generated krbtgt cross-realm p

Re: [Freeipa-users] Cross-Realm authentification

On 4.12.2014 16:58, Simo Sorce wrote: > On Thu, 4 Dec 2014 13:22:01 +0200 > Alexander Bokovoy wrote: > >> On Thu, 04 Dec 2014, Petr Spacek wrote: >>>> And /var/log/krb5kdc.log on master.f21.test (KDC for F21.TEST) I >>>> can see: >>>> Dec 0

Re: [Freeipa-users] Cross-Realm authentification

On 4.12.2014 17:27, Alexander Bokovoy wrote: > On Thu, 04 Dec 2014, Petr Spacek wrote: >> On 4.12.2014 16:58, Simo Sorce wrote: >>> On Thu, 4 Dec 2014 13:22:01 +0200 >>> Alexander Bokovoy wrote: >>> >>>> On Thu, 04 Dec 2014, Petr Spacek wrote: &g

Re: [Freeipa-users] Cross-Realm authentification

On 5.12.2014 15:21, Andreas Ladanyi wrote: > Am 05.12.2014 um 14:04 schrieb Alexander Bokovoy: >> > Ok, i see one difference: i didnt use the "-requires_preauth" flag. Why did you use them ? >>> Because this is recommended by MIT documentation. The link between >>> realms has to be pr

Re: [Freeipa-users] Cross-Realm authentification

On 5.12.2014 21:53, Alexander Bokovoy wrote: > On Fri, 05 Dec 2014, Alexander Bokovoy wrote: >> On Fri, 05 Dec 2014, Petr Spacek wrote: >>> On 5.12.2014 15:21, Andreas Ladanyi wrote: >>>> Am 05.12.2014 um 14:04 schrieb Alexander Bokovoy: >>>>> >>&

Re: [Freeipa-users] DNS configuration

0x0100): >>>> Service pam replied to ping >>>> (Thu Dec 4 13:45:23 2014) [sssd] [ping_check] (0x0100): >>>> Service ssh replied to ping >>>> (Thu Dec 4 13:45:23 2014) [sssd] [ping_check] (0x0100): >>>> Service pac re

Re: [Freeipa-users] DNS configuration

port all our dsee7 accounts AND make it > possible for AD users to access the Linux systems without needing to create > them in IPA. > > On Mon, Dec 8, 2014 at 2:56 AM, Petr Spacek wrote: > >> On 8.12.2014 05:02, Dmitri Pal wrote: >>> On 12/07/2014 10:10 PM, Matthew He

Re: [Freeipa-users] DNS configuration

nstall >>> script ever mentioned the creation of such. In fact, I just ran >>> ipa-server-install --uninstall && ipa-server-install and there was no >>> mention of a zone file. >>> >>> Where should I look in the file system to be sure? I see noth

Re: [Freeipa-users] vSphere 5.1 and FreeIPA 3.3 on CentOS 7 finally works! [How I did it...]

On 9.12.2014 02:43, Dmitri Pal wrote: > On 12/08/2014 06:50 PM, Gianluca Cecchi wrote: >> On Mon, Dec 8, 2014 at 7:17 PM, Gianluca Cecchi > > wrote: >> >> OK. I will check requirements to write into The wiki >> >> >> >> When I try to login with my Fedora OpenID

Re: [Freeipa-users] vSphere 5.1 and FreeIPA 3.3 on CentOS 7 finally works! [How I did it...]

On 10.12.2014 20:20, Dmitri Pal wrote: > On 12/10/2014 06:55 AM, Gianluca Cecchi wrote: >> On Tue, Dec 9, 2014 at 10:50 AM, Martin Kosek > > wrote: >> >> On 12/09/2014 12:50 AM, Gianluca Cecchi wrote: >> > On Mon, Dec 8, 2014 at 7:17 PM, Gianluca Cecchi >> mail

Re: [Freeipa-users] Logging: IPA to Rsyslog to Logstash

Hello Duncan, thank you for doing this! Could you transform this post to http://www.freeipa.org/page/HowTos#Working_with_FreeIPA article, please? I think that other people could use that too. Thank you very much. Petr^2 Spacek On 19.12.2014 17:35, Innes, Duncan wrote: > Earlier this year I said

Re: [Freeipa-users] bind-dyndb-ldap and ddns updates from dhcp

On 31.12.2014 22:40, Jan Pazdziora wrote: > On Wed, Dec 31, 2014 at 10:34:37PM +0100, Jan Pazdziora wrote: >> >>> endpoints, or their users, should not be trusted to >>> make updates to DNS zones. TSIG signed updates from servers are still >>> preferred over authenticated updates from endpoints or

Re: [Freeipa-users] Client configuration to point to Replica server once master service failed

On 1.1.2015 07:25, Prashant Bapat wrote: > You could use DNS based failover for this. > > Configure DNS with a low TTL value like 60 secs. When the primary fails, > update the dns with the secondary. This should not be necessary for FreeIPA because we use DNS SRV records and clients are supposed

Re: [Freeipa-users] KDC has no support for encryption type

On 29.12.2014 23:31, Matt . wrote: > But should an IPA install not add them by default ? Maybe this is some I'm not sure that I understand what you mean, but DES is disabled on purpose because it is completely insecure nowadays. Maybe you should try to rule it out from your deployment. According

Re: [Freeipa-users] Integration with Solaris 10

On 2.1.2015 22:11, Dmitri Pal wrote: > Would you mind creating a wiki page with the solution on the wiki? Maybe you could check & modify http://www.freeipa.org/page/ConfiguringUnixClients ... Normal Fedora Account will allow you to edit the page. -- Petr^2 Spacek -- Manage your subscription fo

Re: [Freeipa-users] Configure also-notify for freeipa DNS zones

On 8.1.2015 18:54, Baird, Josh wrote: > I should also note that adding "also-notify { 1.2.3.4; };" to /etc/named.conf > on the IPA server does not actually trigger notifys for whatever reason. AFAIK also-notify specification in options {} section is not supported by bind-dyndb-ldap. Feel free to

Re: [Freeipa-users] Group Policy-like features in FreeIPA

On 11.1.2015 22:16, Dale Macartney wrote: > Morning folks > > I am currently working on a little pet project which I think some would > find useful. > > I would like to introduce some group policy like functionality into a > FreeIPA domain. > > For example: > In an environment running FreeIPA Se

Re: [Freeipa-users] Getfedora.org ssl cert issue

On 12.1.2015 16:31, brendan kearney wrote: > Can someone up-channel an issue with getfedora.org? The site changed URLs, > and the cert was not amended to include the new URL as a Subject > Alternative Name and now cert mismatches are occurring. Please open a ticket on https://fedorahosted.org/fed

Re: [Freeipa-users] Group Policy-like features in FreeIPA

On 12.1.2015 17:20, brendan kearney wrote: > OpenAFS? If you insist on a replicated FS then try Gluster. Petr^2 Spacek > On Jan 12, 2015 11:04 AM, "Craig White" > wrote: > >> *From:* freeipa-users-boun...@redhat.com [mailto: >> freeipa-users-boun...@redhat.com] *On Behalf Of *Dale Macartney >

Re: [Freeipa-users] DNS updates from dhcpd refused

On 13.1.2015 14:52, Mike wrote: > Hi - FreeIPA newbie here trying to enable ddns updates from dhcpd to IPA. I > don't know if this is an IPA or dhcpd issue but thought I'd ask here. I'm also > not sure if TSIG the best, or only way to go. > > All machines are CentOS 7 with ipa 3.3.3, actually only

Re: [Freeipa-users] DNS updates from dhcpd refused

On 13.1.2015 21:25, Dmitri Pal wrote: > On 01/13/2015 01:41 PM, Mike wrote: >> On Tue, 13 Jan 2015, Dmitri Pal wrote: >> >>> On 01/13/2015 12:35 PM, Mike wrote: Just a note to anyone else who may be interested. This may be obvious but it wasn't to me at first, The "ipa dnszone-mod

Re: [Freeipa-users] Can I revert back the hostname on client

Hello, On 14.1.2015 06:13, Rakesh Rajasekharan wrote: > Freeipa changes the hostname to FQDN. But in our exisitng set up that can > cause issues . Could you be more specific? It would help if we had detailed bug reports about this but up to know everybody just said 'I need non-FQDN hostname' but

Re: [Freeipa-users] FreeIPA for Debian Wheezy, Ubuntu 12.04

On 15.1.2015 03:34, Sina Owolabi wrote: > Hi List > > Please is it really possible to have Debian and Ubuntu serve as IPA clients? > I've tried some instructions/guidelines on the list and they always fail > with the IPA client install being halfway completed and sssd's > configuration file moved

Re: [Freeipa-users] FreeIPA for Debian Wheezy, Ubuntu 12.04

On 15.1.2015 09:36, Lukas Slebodnik wrote: >>> >> Hi List >>> >> >>> >> Please is it really possible to have Debian and Ubuntu serve as IPA >>> >> clients? >>> >> I've tried some instructions/guidelines on the list and they always fail >>> >> with the IPA client install being halfway completed an

Re: [Freeipa-users] FreeIPA for Debian Wheezy, Ubuntu 12.04

On 15.1.2015 11:04, Lukas Slebodnik wrote: > On (15/01/15 10:54), Petr Spacek wrote: >> On 15.1.2015 09:36, Lukas Slebodnik wrote: >>>>>>> Hi List >>>>>>> >>>>>>> Please is it really possible to have Debian and Ubuntu serve

Re: [Freeipa-users] DNS Design for FreeIPA4

On 15.1.2015 20:51, Baird, Josh wrote: > Hi, > > We are currently piloting FreeIPA4 (RHEL 7.1 IdM) in our environment. We > plan on establishing a trust with AD at some point during the POC. An > overview of the current DNS design: > > * FreeIPA runs integrated DNS (ie, ipa.domain.com) > * Se

Re: [Freeipa-users] Having trouble running FreeIPA with SRV records on externally managed DNS

On 19.1.2015 16:54, rob.har...@stfc.ac.uk wrote: > Hi all, > > I have successfully set up a test FreeIPA server and run it for a while, but > the time has come to move towards a production service. I am currently > running ipa-server version 3.0.0-25 on Scientific Linux 6.4 (if you don't > kno

Re: [Freeipa-users] Creating Home directories still presents as -sh-4.1$ after changing oddjob mask

On 22.1.2015 09:25, Sina Owolabi wrote: > Hi List > > I'm at a client who has no support subscriptions, using Red Hat IdM on RHEL > 6.3 64-bit servers with ipa-server-3.0.0-37.el6.x86_64 > and ipa-client-3.0.0-42.el6.x86_64 . > I've been playing around with autocreating user homedirs with the > re

Re: [Freeipa-users] Having trouble running FreeIPA with SRV records on externally managed DNS

On 22.1.2015 10:44, rob.har...@stfc.ac.uk wrote: > Hi, > > Many thanks to everyone who offered advice on this. My problem appears to be > fixed. > > My solution was to change the TXT record defining the Kerberos realm to > ensure the realm name was in upper case, in quotes, and did not have a

Re: [Freeipa-users] Minimum Disk Size

On 4.2.2015 02:03, Dan Mossor wrote: > What would be the minimum recommended disk size for a virtual FreeIPA server > on a network consisting of less than 30 users and 100 hosts? This is effectively few megabytes of data in the database. We are often testing FreeIPA on machine with 10 GB of stora

Re: [Freeipa-users] Heads up - FC20 softhsm -2.0.0b1-8 rpm from mkosek/freeipa copr appears to be broken

On 10.2.2015 01:23, Michael Lasevich wrote: > To save a day of torture to those of you still on FC20 and using > mkosek-freeipa copr repo - it appears that the package ( > http://copr-be.cloud.fedoraproject.org/results/mkosek/freeipa/fedora-20-x86_64/softhsm-2.0.0b1-8.fc20/softhsm-2.0.0b1-8.fc20.x8

Re: [Freeipa-users] bug with ipa-replica and external dns? [SOLVED]

On 10.2.2015 12:29, Martin Basti wrote: > option --ip-address adds the specified address (addresses IPA-4-1) into IPA > DNS. > IPA currently does not support updating external DNS servers, so that is > reason why replica preparation did not work for you. Let me add that newer versions of FreeIPA

Re: [Freeipa-users] Cross-Realm authentification

On 5.12.2014 22:24, Petr Spacek wrote: > On 5.12.2014 21:53, Alexander Bokovoy wrote: >> On Fri, 05 Dec 2014, Alexander Bokovoy wrote: >>> On Fri, 05 Dec 2014, Petr Spacek wrote: >>>> On 5.12.2014 15:21, Andreas Ladanyi wrote: >>>>> Am

Re: [Freeipa-users] FreeIPA and Application Specific Passwords

On 19.2.2015 02:47, Steven Jones wrote: > Hi, > > There is always a tradeoff between ease of use, complexity/cost and security. > Looking at what you have written suggests to me that your entire system > lacks a proper security / network architecture model and you are trying to > enforce a "po

Re: [Freeipa-users] Forward first not working

On 25.2.2015 19:18, Martin Basti wrote: > And I'm not sure if forwarding between 2 authoritative zones with the same > name > will work, because the zone is authoritative on IPA side, so IPA will return > authoritative answer NXDOMAIN and will not try to forward query. > You may need NS delegat

Re: [Freeipa-users] Host aliases in freeipa

On 27.2.2015 21:04, Simo Sorce wrote: > On Fri, 2015-02-27 at 18:59 +, Roderick Johnstone wrote: >> On 27/02/15 18:33, Simo Sorce wrote: >>> On Fri, 2015-02-27 at 18:19 +, Roderick Johnstone wrote: Hi I'm trying to migrate of my NIS databases to freeipa and have got to the >>

Re: [Freeipa-users] Using Domain Names

On 28.2.2015 04:33, Rob Crittenden wrote: > Hadoop Solutions wrote: >> Hi, >> >> I am new to IPA and we are planning to deploy IPA one of our hadoop >> cluster nodes. >> >> But, i have question on IPA: >> >> 1. we are using corp DNS on all nodes, but still is it required to >> install IPA DNS serve

Re: [Freeipa-users] Host aliases in freeipa

On 2.3.2015 13:29, Roderick Johnstone wrote: > On 27/02/15 20:04, Simo Sorce wrote: >> On Fri, 2015-02-27 at 18:59 +, Roderick Johnstone wrote: >>> On 27/02/15 18:33, Simo Sorce wrote: On Fri, 2015-02-27 at 18:19 +, Roderick Johnstone wrote: > Hi > > I'm trying to migrate o

Re: [Freeipa-users] subjectAlternitiveName for webservice

On 6.3.2015 14:08, Martin Kosek wrote: > I'm figuring out how to regenerate the webserver certificates so I can > use a loadbalancer in front of my ipa servers. Are you talking about FreeIPA web interface? It is technically possible to use load-balancer but it will be really hacky. You would have

Re: [Freeipa-users] subjectAlternitiveName for webservice

describe it in detail, please? Petr^2 Spacek > 2015-03-06 14:24 GMT+01:00 Petr Spacek : >> On 6.3.2015 14:08, Martin Kosek wrote: >>> I'm figuring out how to regenerate the webserver certificates so I can >>> use a loadbalancer in front of my ipa servers. >> >&g

Re: [Freeipa-users] subjectAlternitiveName for webservice

e human users too or just API clients. Petr^2 Spacek > 2015-03-06 15:31 GMT+01:00 Petr Spacek : >> On 6.3.2015 15:13, Matt . wrote: >>> Hi, >>> >>> But as the user is the same, I could use the same keytab for each ipa >>> server ? >>> >

Re: [Freeipa-users] subjectAlternitiveName for webservice

ed. Petr^2 Spacek > > Thanks again! > > Cheers, > > Matthijs > > 2015-03-06 16:16 GMT+01:00 Petr Spacek : >> On 6.3.2015 15:39, Matt . wrote: >>> I have 2 IPA servers where I kinit to and post to the api using curl/json. >> >> If we are talking purely a

Re: [Freeipa-users] Errors while adding DNS Zone

Hello! First of all, what version of FreeIPA do you use? FreeIPA 4.1.what? On 9.3.2015 19:18, Matt Wells wrote: > I'm getting some errors on a DNS Zone that I'm attempting to create. > My systems reside within a sub-domain of example.com. > (xyz.example.com) > Of course example.com is the interne

Re: [Freeipa-users] Can't add AD user group to IPA group

On 10.3.2015 12:14, Guertin, David S. wrote: >>> Seems the initial/default setup for IPA server is to put in an 'allow_all' >> rule. Thus you can actively manage HBAC but out of the box, it is essentially >> turned off by that rule. >> >> Yes. The default was the opposite very long time ago, you ha

Re: [Freeipa-users] AD permissions needed for setting up AD trusts

On 12/21/2012 01:19 PM, Sumit Bose wrote: On Fri, Dec 21, 2012 at 12:30:33PM +0100, James Findley wrote: Hi What permission level is needed for the AD user when creating an AD trust? Can a regular domain user account do it, or is a domain admin needed? The account used here must be a member

Re: [Freeipa-users] Fwd: user sync works, passsync eludes me

Hello, can you please open a bug against passsync and describe what exactly you did? Log message should clearly mention problem with certificate when it happens. Thank you. Petr^2 Spacek On 12/21/2012 03:41 PM, Nate Marks wrote: Nevermind. I was mucking up the certificate. got it fixed.

Re: [Freeipa-users] Kerberos and Cisco

On 12/23/2012 07:31 PM, Simo Sorce wrote: On Fri, 2012-12-21 at 18:23 -0500, Dmitri Pal wrote: On 12/21/2012 05:40 PM, Mike Mercier wrote: Hi Bret, I tried this once in the past with no success. If I recall correctly (I can't find the reference anymore), Cisco (at least in IOS 12.4 that I te

Re: [Freeipa-users] Setting up single domain but with dns subdomains

On 8.1.2013 20:06, Rob Crittenden wrote: Orion Poplawski wrote: I'm looking into migrating our 389ds ldap + kerberos to FreeIPA and I'm wondering how to setup DNS autodiscovery (if possible) in a way to point to different servers in different locations. We have two major offices, one that uses

[Freeipa-users] CSV support in IPA administration tools - to be, or not to be?

Hello, is there any user of CSV support built-in to IPA administration tools ("ipa" command)? Do you consider it sane or even useful? Please reply. I wanted to add single TXT record with double quotation marks (") inside the TXT data. I spent some time figuring out how it is supposed to wo

Re: [Freeipa-users] AD permissions needed for setting up AD trusts

On 11.1.2013 10:19, Alexander Bokovoy wrote: On Fri, 11 Jan 2013, David Juran wrote: On fre, 2013-01-04 at 19:04 +0100, Ana Krivokapic wrote: On 01/03/2013 12:28 PM, Petr Spacek wrote: > On 12/21/2012 01:19 PM, Sumit Bose wrote: >> On Fri, Dec 21, 2012 at 12:30:33PM +0100, James Find

Re: [Freeipa-users] error: Realm not local to KDC

Hello, as Dmitri said, this problem is probably related to DNS. I would recommend to run tcpdump/wireshark on the client, capture all network traffic during client enrolment and check IP addresses. You will probably see IP address of AD server more often than you should ... Petr^2 Spacek On

Re: [Freeipa-users] FreeIPA Client Setup in Windows 7 & Ubuntu

On 22.1.2013 17:04, Rob Crittenden wrote: Vijay Thakur wrote: On Monday 21 January 2013 10:30 PM, freeipa-users-requ...@redhat.com wrote: Vijay Thakur Here is the logs of server side: an 22 16:21:02 ds.example.com krb5kdc[1376](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.51.16: NEEDED_PR

Re: [Freeipa-users] Failed to obtain host TGT bug

On 1.2.2013 15:42, William Muriithi wrote: Hello pal, I have a centos 6.3 that fails to enroll to the IPA server however much I try. I believe its because of the bug below. I have updated the IPA client but it seem it is only fixed on ipa-3.0 which ships on RHEL 6.4 How many replicas do you

Re: [Freeipa-users] ipa replica install fails

On 5.2.2013 15:15, Rajnesh Kumar Siwal wrote: Is there any other log file that may suggest something. It would be great if we could figure out whats the cause of the error. I would recommend to run tcpdump on one of the servers and look to what is sent over the wire. It is most effective way.

Re: [Freeipa-users] ipa replica install fails

On 5.2.2013 15:45, Rajnesh Kumar Siwal wrote: Finally , I installed it with "--skip-conncheck":- Now DNS fails to start. I tried ipa-dns-install too:- [root@ipa2 log]# ipa-dns-install The log file for this installation can be found in /var/log/ipaserver-install.log ==

Re: [Freeipa-users] ipa replica install fails

On 5.2.2013 17:15, Rajnesh Kumar Siwal wrote: Last time the installation of replica failed. So this is second time I did it (The logs in the mail are from the second time after I uninstalled the ipa2). After installing the replica, I restarted IPA and failed to start the KDC too. So, kinit admin

Re: [Freeipa-users] ipa replica install fails

On 6.2.2013 07:17, Rajnesh Kumar Siwal wrote: I am missing these two entries in ipa1 (The Master that was installed first):- HTTP/ipa2.xyz@xyz.dmz DNS/ipa2.xyz@xyz.dmz The above entries are present only in ipa2. It seems like replication problems to me. Did you already solved problems

Re: [Freeipa-users] Account Expiration

On 12.2.2013 20:21, John Dennis wrote: On 02/12/2013 01:40 PM, Rob Crittenden wrote: Is it possible to ipa to send a email to user when his account is about to expire (the current date is near krbprincipalexpiration date) ? Not currently. In 3.0+ we will provide a notice when one logs into the

Re: [Freeipa-users] Restricting other User's Details to be visible to a user

On 13.2.2013 11:38, Rajnesh Kumar Siwal wrote: It has been found that any user can see the details of other users through the IPA Web Interface (even ldapsearch with anonymous user). It would be great if we could hide the details of the other users from the current user (including emai, phone num

Re: [Freeipa-users] Logging of Who does What on IPA Server

On 14.2.2013 09:49, Martin Kosek wrote: On 02/14/2013 08:20 AM, Rajnesh Kumar Siwal wrote: IPA is going to be very critical Server for any environment. Do we have proper logging of who as locked whom, Who has created a sudo policy, who has allowed access to whom etc ? Hello Rajnesh, the audi

Re: [Freeipa-users] permissions of the user uid=sudo, cn=sysaccounts, cn=etc, dc=example, dc=com

On 17.2.2013 20:05, Rajnesh Kumar Siwal wrote: Please guide us about the LDAP user "uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com". Does it has a read only access or read-write access to the "uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com" ? Because the file /etc/ldap.conf is readable by all

Re: [Freeipa-users] named crash: RUNTIME_CHECK pthread_mutex_destroy failed

On 18.2.2013 17:27, Michael Mercier wrote: Hello, Named stopped on one of my IPA servers over the weekend, this was the last message in the log file: ldap_helper.c:627: fatal error: RUNTIME_CHECK(((pthread_mutex_destroy(((&ldap_conn->lock))) == 0) ? 0 : 34) == 0) failed exiting (due to fatal

Re: [Freeipa-users] KPasswd TCP issues

On 19.2.2013 23:29, ninib...@worldd.org wrote: > > > >> On Tue, Feb 19, 2013 at 10:49:42AM -0700, ninib...@worldd.org > wrote: > >>> I used IPA from the CentOS 6 repositories and I am having an > issue I > >>> can't seem to solve. ?I installed a server and a client with > no > >>> is

Re: [Freeipa-users] Windows authentication against FreeIPA documentation question.

On 22.2.2013 09:49, Han Boetes wrote: Regarding: http://freeipa.org/page/Windows_authentication_against_FreeIPA I noticed that I have to create a matching user on the windows machine before the user can log in. I don't have to set the password, but I do have to add a user as the local admin on t

Re: [Freeipa-users] Windows authentication against FreeIPA documentation question.

On 22.2.2013 10:04, Petr Spacek wrote: On 22.2.2013 09:49, Han Boetes wrote: Regarding: http://freeipa.org/page/Windows_authentication_against_FreeIPA I noticed that I have to create a matching user on the windows machine before the user can log in. I don't have to set the password, but

Re: [Freeipa-users] FreeIPA for AMM users management

(You can send the data to me privately, if you want.) Petr^2 Spacek В Пн., 05/11/2012 в 09:32 +0100, Petr Spacek пишет: On 11/03/2012 01:12 PM, Pavel Zhukov wrote: Can you do NS lookup of the IPA server from the AMM box? yes Can you do kinit from the AMM box against IPA? Can you do ldaps

Re: [Freeipa-users] RHEL 6.4 , IPA 3.0 and bind-chroot

On 23.2.2013 23:01, Dale Macartney wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02/23/2013 09:47 PM, Dmitri Pal wrote: On 02/23/2013 12:48 PM, Dale Macartney wrote: > > >> Hi all >> >> I've just performed a clean IPA installation and noticed that if you're >> using integrate

Re: [Freeipa-users] FreeIPA for AMM users management

tupid, but I want to be sure in them :) I really don't know AAM specifics. Please read all AAM's documentation you find and try various settings. We can provide general advices and publish your findings on freeipa.org. Any contributions welcome! Petr^2 Spacek В Вт., 26/02/2013 в 1

Re: [Freeipa-users] Cannot obtain CA Certificate

On 26.2.2013 17:55, John Moyer wrote: Sorry for the late response, so I tried this, and it changed the error to the following: Synchronizing time with KDC... Joining realm failed: HTTP response code is 401, not 200 Installation failed. Rolling back changes. Looking at debug this is what I s

Re: [Freeipa-users] Cannot obtain CA Certificate

On 27.2.2013 11:34, Jan-Frode Myklebust wrote: On Wed, Feb 27, 2013 at 10:42:49AM +0100, Petr Spacek wrote: < HTTP/1.1 401 Authorization Required < Date: Tue, 26 Feb 2013 16:54:21 GMT < Server: Apache/2.2.15 (CentOS) * gss_init_sec_context() failed: : Server krbtgt/c...@example.com

Re: [Freeipa-users] Errors when trying IPA,Dovecot GSSAPI.

On 7.3.2013 18:06, Dale Macartney wrote: I have just updated the article to have dovecot automatically creating a maildir in a custom location. http://www.freeipa.org/page/Dovecot_IMAPS_Integration_with_FreeIPA_using_Single_Sign_On Its not NFS based in the homedir, but technically if you're us

Re: [Freeipa-users] check host password age

On 12.3.2013 14:41, Stijn De Weirdt wrote: hi all, (i'm new to freeipa, so it's possible i missed some docs here and there ;) i'm looking to add hosts with some secret password to ipa, then during kickstart install they use this password to run ipa-client-install. You need to add host account

Re: [Freeipa-users] Realm distrubuted across data centers

On 13.3.2013 14:28, Rob Crittenden wrote: Michael ORourke wrote: I think SRV records are only part of the problem. We are using integrated BIND/DNS with our IPA servers and I'm not sure it supports views. But thanks for the suggestion. I guess we could create custom krb5.conf files in each DC

Re: [Freeipa-users] Realm distrubuted across data centers

On 13.3.2013 16:17, de Jong, Mark-Jan wrote: On Wed, 2013-03-13 at 09:28 -0400, Rob Crittenden wrote: Michael ORourke wrote: I think SRV records are only part of the problem. We are using integrated BIND/DNS with our IPA servers and I'm not sure it supports views. But thanks for the suggest

Re: [Freeipa-users] getattr cli option?

On 21.3.2013 10:15, Martin Kosek wrote: On 03/21/2013 06:59 AM, Brian Cook wrote: Is there something equivalent to 'getattr' for ipa host-mod? I see setattr, addattr and delattr but to get attributes you have to do host-show --all. There is no way to ask for one specific attribute? I would

Re: [Freeipa-users] bind-dyndb-ldap howto use wildcard

On 23.3.2013 18:17, Marc Roos wrote: I dont seem to get the wildcard working. Is this a correct way of creating a dns record DN: idnsName=*.241.36.65,idnsName=rbl.test.com,dc=office,dc=local objectClass: idnsRecord aRecord: 127.0.0.1 idnsName: *.241.36.65 If I do a dig on the nameserver on 1.2

Re: [Freeipa-users] User admins for different groups

On 26.3.2013 15:10, Rob Crittenden wrote: Philipp Richter wrote: On 03/26/2013 12:39 AM, Dmitri Pal wrote: I am trying to do the following: We have some branch offices at different locations. We want to use one ipa-server with replicas in each branch office. Each branch office should have it'

[Freeipa-users] Announcing bind-dyndb-ldap version 2.6

orted. == Feedback == Please provide comments, bugs and other feedback via the freeipa-users mailing list: http://www.redhat.com/mailman/listinfo/freeipa-users -- Petr Spacek Software engineer Red Hat ___ Freeipa-users mailing list Freeipa-us

Re: [Freeipa-users] User admins for different groups

On 28.3.2013 09:38, Philipp Richter wrote: Am 26.03.2013 um 16:55 schrieb Rob Crittenden : Petr Spacek wrote: On 26.3.2013 15:10, Rob Crittenden wrote: Philipp Richter wrote: On 03/26/2013 12:39 AM, Dmitri Pal wrote: I am trying to do the following: We have some branch offices at

Re: [Freeipa-users] How to submit feature request for FreeIPA

On 2.4.2013 07:43, pekka.pan...@sofor.fi wrote: BTW: is there any place when i can submit feature requests, eg. default shell IPA configuration to be used with AD trusts users also. Go to https://fedorahosted.org/freeipa/newticket and file a new ticket. Please describe all the details and ideas

[Freeipa-users] [Freeipa-interest] Announcing bind-dyndb-ldap version 3.0

ng list: http://www.redhat.com/mailman/listinfo/freeipa-users -- Petr Spacek Software engineer Red Hat ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] User Roles and access in GUI

rious containers based on, well, something. Would it be possible to create a new role to allow current 'read-all access' and add this role to all users by default? It could be much simpler to change the behaviour with this role, or not? :-)

Re: [Freeipa-users] question about bind 10 plans

On 29.4.2013 08:40, Артур Файзуллин wrote: В Пн., 29/04/2013 в 08:11 +0300, Alexander Bokovoy пишет: Bind 10 module is on our radar. There is not much to add. I'm in touch with one Bind 10 developer and we are discussing various possibilities of integration. Let me know if you are intereste

Re: [Freeipa-users] nsupdate refused

Hello, On 28.4.2013 19:50, Jakub Hrozek wrote: > >get a single machine to be able to perform any update, and have this as > >one of the entries in my "bind update policy": > >grant SERVICE\047foreman.collmedia@collmedia.net wildcard * ANY; String "SERVICE/ipaserver.example@example.com

[Freeipa-users] Announcing bind-dyndb-ldap version 3.2

: http://www.redhat.com/mailman/listinfo/freeipa-users -- Petr Spacek Software engineer Red Hat ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] [Freeipa-devel] Announcing bind-dyndb-ldap version 3.2

On 21.5.2013 07:00, Timo Aaltonen wrote: On 20.05.2013 23:01, Dmitri Pal wrote: On 05/20/2013 09:21 AM, Timo Aaltonen wrote: On 15.05.2013 11:58, Petr Spacek wrote: The FreeIPA team is proud to announce bind-dyndb-ldap version 3.2. == Feedback == Please provide comments, bugs and other

Re: [Freeipa-users] Installing a Godaddy Cert with ipa-server-certinstall

On 29.5.2013 07:42, John Moyer wrote: Yea I replaced both certs, however, in my troubleshooting I've found more I'll say symptoms or potential problems, which may stem from this or be independent from it. 1. Showing this error message on restarting the service: EXAMPLE-COM...[29/May/2013:

<    1   2   3   4   5   6   7   >