Re: [Freeipa-users] Announcing FreeIPA v2 Server Release Candidate 2 Release

Steven Jones wrote: I think it is a mismatch between what we've stored as the hostname and the hostname of the machine. Can you look at the output of these commands and see if the hostname is the same between them all? $ ldapsearch -x -s one -b cn=masters,cn=ipa,cn=etc,dc=ipa,dc=ac,dc=nz dn $

Re: [Freeipa-users] Announcing FreeIPA v2 Server Release Candidate 2 Release

Steven Jones wrote: Hi, Yepthat is the issueI put it in, rebooted, worked, took it out rebooted, didnt work, put it back in rebooted and it worked again. Wonders of a gui setupnormally I do it by hand and do a FQDNI assumed because it was short form in the file that is the way i

Re: [Freeipa-users] Setup windows AD Sync Failure

Sayid Munawar wrote: Dear, I have successfully installed freeipa-server 2 rc2. and create some test user and tested machine enrollment. now, what i want to do next is sync all my windows 2008r2 AD accounts. i've got already get the cert needed, and tested it with ldapsearch tools in the same hos

Re: [Freeipa-users] replication setup failure

Steven Jones wrote: 8>< starting replication, please wait until this has completed. Update in progress Update in progress Update in progress Update in progress Update in progress Update succeeded [21/27]: adding replication acis [22/27]: initializing group membership [23/27]: adding

Re: [Freeipa-users] Definitive firewall ruleset.

Steven Jones wrote: This is becoming a bit of a grind Anyway, either I have not found it yet, or a definitive set of ports that need to be open isnt there, this is my best shot so far, Have I missed any or are there some not needed? ACCEPT tcp -- 192.168.100.0/24 0.0.0.0/0

Re: [Freeipa-users] Unable to authenticate a client user against IPA

Steven Jones wrote: I appear to have IPA running, I have run the install client on a fed14 KVM guest and that guest is in the IPA system, however the users in IPA cannot authenticate via IPA and get onto the client. There appears to be traffic to port 389, so I assume its "almost" workingbut

Re: [Freeipa-users] Time bug

Simo Sorce wrote: On Fri, 4 Mar 2011 15:16:36 +1300 Steven Jones wrote: Hi, Americans are funny ppl they put the date format as month then day.the problem is in the real world, its day then month So I have registered 1 client and 2 ipa masters as of 4th march 2011 NZST, but the IPA s

Re: [Freeipa-users] Unable to authenticate a client user against IPA

Dmitri Pal wrote: On 03/03/2011 02:53 PM, Steven Jones wrote: 8>< I have no idea, Im trying to follow the ipa document (version 0.5)so if it says do something I try and do itif it doesnt say do something wellit doesnt get done as I cant mind read. What I want is encrypted conne

Re: [Freeipa-users] Unable to authenticate a client user against IPA

Dmitri Pal wrote: On 03/04/2011 10:45 AM, Rob Crittenden wrote: Dmitri Pal wrote: On 03/03/2011 02:53 PM, Steven Jones wrote: 8>< I have no idea, Im trying to follow the ipa document (version 0.5)so if it says do something I try and do itif it doesnt say do something well

Re: [Freeipa-users] Unable to authenticate a client user against IPA

Steven Jones wrote: I can do a ldapsearch -x -b "dc=ipa,dc=ac,dc=nz' |more Which returns LDAP infothat looks finethe query looks OK getent passwd "user" however only returns one line, not the two I should expect? Why do you expect two lines? It should only return one, for that us

Re: [Freeipa-users] Unable to authenticate a client user against IPA

Steven Jones wrote: 8><-- So how do I fault find? where do I start? ie Where do I start to look to determine why a user cannot login to a client via freeipa? How can I be more clear? because so far the replies have been not very productive. regards Add debug_level = 9 to the ipa prov

Re: [Freeipa-users] Unable to authenticate a client user against IPA

Steven Jones wrote: Hi, Log, The error is "Host is already joined" so no keytab is requested. The enrollment failed. ipa-client-install --uninstall should unenroll the client (you can verify that Keytab is False in ipa host-show on the IPA server. If so running ipa-client-install on t

Re: [Freeipa-users] Unable to authenticate a client user against IPA

Steven Jones wrote: Hi, I have gone into the webgui and manually removed the no1 client/host, it has now joined successfully... So Yes, the next issue regards I'm going to try to consolidate a few things here from some other responses. * You do not need to pre-create the host in order

Re: [Freeipa-users] Unable to authenticate a client user against IPA

Steven Jones wrote: Ok, However I cant LDAP/Ipa authenticate stillon either client.. So what next? sssd handles logins, you can try turning up the log level on that (though I suspect it wasn't the reboot that fixed this but restarting sssd). As part of ipa-client-install sssd i

[Freeipa-users] Announcing FreeIPA v2 Server Release Candidate 3 Release

ap: in ipa core tools. Rob Crittenden (12): * Set SuiteSpotGroup when setting up our 389-ds instances. * Use Sudo rather than SUDO as a label. * Replace only if old and new have nothing in common * Need to restart the dogtag 388-ds instance before using it. * Skip DNS validation checks if we&

Re: [Freeipa-users] Unable to authenticate a client user against IPA

Simo Sorce wrote: - Original Message - Fri Mar 11 12:47:41 2011) [sssd[be[ipa.ac.nz]]] [sss_krb5_verify_keytab_ex] (0): Principal [host/fed14-64-ipacl03.ipa.ac...@ipa.ac .NZ] not found in keytab [default] (Fri Mar 11 12:47:41 2011) [sssd[be[ipa.ac.nz]]] [setup_child] (0): Could not verif

Re: [Freeipa-users] Repository error

Sylvain PANNETRAT wrote: Hello, I try to update a fedora 14 client, and get: http://freeipa.com/downloads/devel/rpms/F14/x86_64/repodata/primary.xml.gz: [Errno -1] Metadata file does not match checksum After yum clean all, i get: freeipa-devel/primary | 8.8 kB 00:00 http://freeipa.com/downloads/d

Re: [Freeipa-users] Sync with AD error

Sigbjørn Lie wrote: Hi, I just upgraded my FreeIPA @ F14 to 2.0.0.rc3, and attempted to add a sync agreement with Active Directory. Added CA certificate /root/testing-ca.cer to certificate database for ipasrv01.ix.testing.com ipa: INFO: AD Suffix is: DC=ad,DC=testing,DC=com The user for the Win

Re: [Freeipa-users] Sync with AD error

Sigbjørn Lie wrote: On 03/11/2011 09:16 PM, Rob Crittenden wrote: Sigbjørn Lie wrote: Hi, I just upgraded my FreeIPA @ F14 to 2.0.0.rc3, and attempted to add a sync agreement with Active Directory. Added CA certificate /root/testing-ca.cer to certificate database for ipasrv01.ix.testing.com

Re: [Freeipa-users] ipa client install

Uzor Ide wrote: Hi Is there a requirement for the same version of client as the server. I've just install freeipa server version 2.0 rc3. While on the client side, I have a previously installed client version 2.0 beta1. It would not join the realm. I had run the client install script to remove t

Re: [Freeipa-users] rhel6 ipa-1.2.2 clients fail to update user passwords

Andy Singleton wrote: Hello, I am trying to install a rhel6 machine with the ipa-1.2.2 client. Everything appears to work fine, with the exception of updating users passwords from the client. From the user perspective, I get this: /Changing password for user andytest./ /Kerberos 5 Password:

Re: [Freeipa-users] ipa client install

owever the client is a fedora 13 box. > There is no client rpm for fedora 13 We do not build F13 any more as the packages and functionality they provide deviated so far between F14-F15 and F13. > ------Original Message-- > From: Rob Crittenden > To: Uzor Ide

[Freeipa-users] Announcing FreeIPA v2 Server

when DNS record is added Pavel Zuna (1): * Update translation file (ipa.pot). Rob Crittenden (4): * Always consider domain and server when doing DNS discovery in client. * Fix SELinux errors caused by enabling TLS on dogtag 389-ds instance. * Ensure that the system hostname is lower-case

Re: [Freeipa-users] migrate from LDAP to FreeIPA ?

Jan-Frode Myklebust wrote: We run a quite pure RHEL server environment, with users, groups, authentication (ldap bind), sudorules and netgroups all in two master-master replicating 389ds´. The users and groups are managed by Sun Identity Manager (SIM), which pushes them to the directory servers -

Re: [Freeipa-users] Regression in adding reverse dns records

Steven Whately wrote: My mistake. I was missing the trailing . Before: ipa dnsrecord-add --ptr-rec=server.example.com. 1.168.192.in-addr.arpa 1 After: ipa dnsrecord-add --ptr-rec=server.example.com. 1.168.192.in-addr.arpa. 1 Cheers Steve Whately A bit of a lousy error message though. I filed

Re: [Freeipa-users] Adding user accounts

Sigbjorn Lie wrote: Thanks. I also noticed that a group with the same GID number as the users UID number is automatically created when creating the user account, this is a problem for existing environments who's already used the same ID number for a group. I see that even after doing a user-m

Re: [Freeipa-users] Adding user accounts

gs considerably. We're working with the 389-ds devs on this. There is the tradeoff of speed vs correctness (users don't like watching a blinking prompt). Some of these post-ops could take a while. rob Rgds, Siggi On Mon, March 28, 2011 16:02, Rob Crittenden wrote: Sigbjorn

Re: [Freeipa-users] FreeIPA 2 on F14

Roland Kaeser wrote: Hello Just tried to install 2.0 on a F14. It tells my that freeipa-server-2.0rc3 requires 389-ds-base 1.2.8 but available is only 1.2.7. Can I also use 389-ds-base-1.2.7 and is it actually possible to install freeipa on F14? I wouldn't like to use F15 because its already bet

Re: [Freeipa-users] replica install failure....

Steven Jones wrote: Just tried to make a replica and the install failed with, [4/11]: configuring certificate server instance root: CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname fed14-64-ipam002.ipa.ac.nz -cs_port 9445 -cli

Re: [Freeipa-users] client setup failure

Martin Kosek wrote: On Tue, 2011-03-29 at 12:49 +0200, tomasz.napier...@allegro.pl wrote: On 2011-03-29, at 10:20, Martin Kosek wrote: On Tue, 2011-03-29 at 00:08 +, Steven Jones wrote: What is a content of _ldap._tcp.ipa.ac.nz DNS SRV record? IPA client installation uses this DNS record

Re: [Freeipa-users] AD setup failure

Steven Jones wrote: Got a bit further...I was missing "--passsync" I think you were using the V1 documentation. The "Enterprise Identity Management Guide" is what you want off freeipa.org in the Documentation section. [root@fed14-64-ipam001 samba]# ipa-replica-manage connect --winsy

Re: [Freeipa-users] client setup failure

Dmitri Pal wrote: On 03/29/2011 03:26 PM, Steven Jones wrote: Hi, The DNS is in AD so it cant be set to suit IPA I did as below and even with --force your script ignores these flags, it insists on doing AD lookups and gets the AD infoand obviously the cert isnt on the AD box. 8><---

Re: [Freeipa-users] replica install failure....

Steven Jones wrote: Hi, This is F14, guess you missed the hostnames... It is not safe to assume based on hostname which is why I also asked. Your problem is this: Unable to Send Request:java.net.NoRouteToHostException: No route to host java.net.NoRouteToHostException: No route to host It lo

Re: [Freeipa-users] client setup failure

Steven Jones wrote: What do I put in the python script as a work around? https://www.redhat.com/archives/freeipa-devel/2011-March/msg00227.html regards From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Dmitri Pal

Re: [Freeipa-users] client setup failure

autodiscover. With the patch and --force it should push through and complete the installation. rob regards From: Rob Crittenden [rcrit...@redhat.com] Sent: Wednesday, 30 March 2011 8:50 a.m. To: Steven Jones Cc: d...@redhat.com; freeipa-users@redhat.com

Re: [Freeipa-users] client setup failure

Steven Jones wrote: I used --force as wellit still ignores it More information would be helpful. Ignores it how, what error messages do you get, etc. rob regards From: Rob Crittenden [rcrit...@redhat.com] Sent: Wednesday, 30 March 2011 8

Re: [Freeipa-users] AD setup failure

guessing they didn't give you the root CA cert. rob regards Steven ________ From: Rob Crittenden [rcrit...@redhat.com] Sent: Wednesday, 30 March 2011 2:50 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] AD setup failure Steve

Re: [Freeipa-users] client setup failure

xit status 8 [root@fed14-64-cli01 tmp]# So the client isnt appearing in the IPA web gui.so its a total failure to join... The patch hasn't been applied. It will cause the wget to be non-fatal, it will just log and return. rob regards ____ From:

Re: [Freeipa-users] client setup failure

y make the changes by hand. rob ____ From: Rob Crittenden [rcrit...@redhat.com] Sent: Wednesday, 30 March 2011 9:16 a.m. To: Steven Jones Cc: d...@redhat.com; freeipa-users@redhat.com Subject: Re: [Freeipa-users] client setup failure Steven Jones wrote: [root@fed1

Re: [Freeipa-users] AD setup failure

nson [rmegg...@redhat.com] Sent: Wednesday, 30 March 2011 9:36 a.m. To: Steven Jones Cc: Rob Crittenden; freeipa-users@redhat.com Subject: Re: [Freeipa-users] AD setup failure On 03/29/2011 02:32 PM, Steven Jones wrote: Hi, Yes its a "intermediate CA" In the real world combining them i

Re: [Freeipa-users] AD setup failure

Steven Jones wrote: Hi, I get "certutil: function failed: security library: bad database." Sorry, I should have quoted Imported CA, try: # certutil -d /etc/dirsrv/slapd-IPA-AC-NZ/ -D -n "Imported CA" rob ________ From: Rob Crittenden

Re: [Freeipa-users] client setup failure

Steven Jones wrote: From: Rob Crittenden [rcrit...@redhat.com] Sent: Wednesday, 30 March 2011 9:24 a.m. To: Steven Jones Cc: d...@redhat.com; freeipa-users@redhat.com Subject: Re: [Freeipa-users] client setup failure Steven Jones wrote: What patch

Re: [Freeipa-users] client setup failure

can try building the 2.0.0 rpms on F-14 using the F-15 src.rpm. You'd still need this patch though. rob regards Steven ____ From: Rob Crittenden [rcrit...@redhat.com] Sent: Wednesday, 30 March 2011 10:06 a.m. To: Steven Jones Cc: d...@redhat.com; freei

Re: [Freeipa-users] Auto membership plugin

Dmitri Pal wrote: Hello, Please find the design for the auto membership plugin: https://fedorahosted.org/freeipa/ticket/753 Here: http://directory.fedoraproject.org/wiki/Auto_Membership_Design I have some comments and questions: 1) Is the AND functionality for inclusion criteria required? 2) Ho

Re: [Freeipa-users] Auto membership plugin

Nathan Kinder wrote: On 03/30/2011 06:32 AM, Rob Crittenden wrote: Dmitri Pal wrote: Hello, Please find the design for the auto membership plugin: https://fedorahosted.org/freeipa/ticket/753 Here: http://directory.fedoraproject.org/wiki/Auto_Membership_Design I have some comments and

Re: [Freeipa-users] IPA Client join

Roland Kaeser wrote: Hello Just try to add Scientific Linux 6 (RHEL 6) into the freeipa. Sorry to say that but after reading a lot of the documentation I found that the most of it is obselete or just wrong. For Sample: in http://freeipa.org/docs/2.0.0/Client_Setup_Guide/en-US/html/#chap-Client_C

Re: [Freeipa-users] IPA Client join

upgrade to Fedora-15 from there. It has been fairly painless. The GA IPA release is in the stable repo of F-15 now. regards rob - Ursprüngliche Mail - Von: "Sigbjorn Lie" An: "Rob Crittenden" CC: "Roland Käser", freeipa-users@redhat.com Gesendet: Donn

Re: [Freeipa-users] Auto membership plugin

Nathan Kinder wrote: On 03/30/2011 10:19 AM, Dmitri Pal wrote: On 03/30/2011 12:44 PM, Nathan Kinder wrote: On 03/30/2011 06:00 AM, Dmitri Pal wrote: Hello, Please find the design for the auto membership plugin: https://fedorahosted.org/freeipa/ticket/753 Here: http://directory.fedoraproject.

Re: [Freeipa-users] 6.1 beta

Sigbjorn Lie wrote: On 04/04/2011 06:22 PM, Sigbjorn Lie wrote: On 04/04/2011 03:43 PM, Dmitri Pal wrote: On 04/03/2011 05:41 PM, Sigbjorn Lie wrote: According to Red Hat Network it does: ipa-server-2.0.0-16.el6.x86_64

Re: [Freeipa-users] Installing on CentOS 5.X?

Gavin McQuillan wrote: Hi, We're moving to a vendor which only supports servers with CentOS or RHEL. I see a 2 1/2 year old document for building SRC RPMs to get an older version of ipa-server running: http://howtoforge.com/how-to-build-rhel-ipa-rpms-for-centos-5. However there are problems wit

[Freeipa-users] Announcing FreeIPA 2.0.1

on the IPA server * pwpolicy-mod doesn't accept old attribute values * Forbid reinstallation in ipa-client-install * ipa-client-install uninstall does not work on IPA server * LDAP Updater may crash IPA installer Pavel Zuna (1): * Fix gidnumber option of user-add command. Rob Crittende

Re: [Freeipa-users] Disk layout - requirements

Steven Jones wrote: Hi, Digging through docs / googling I cant see any disk partition suggestions and size thereof requirements... Suggestions please? sizing for 500 servers, 2000 desktops, 5000+ users... Especially around having different sections of the IPA master of different raid group

Re: [Freeipa-users] Disk layout - requirements

Dmitri Pal wrote: On 05/06/2011 11:58 AM, Sigbjorn Lie wrote: On 05/06/2011 04:12 PM, Rob Crittenden wrote: Steven Jones wrote: Hi, Digging through docs / googling I cant see any disk partition suggestions and size thereof requirements... Suggestions please? sizing for 500 servers, 2000

Re: [Freeipa-users] RHEL6.1 beta

Steven Jones wrote: Hi, Where are the ipa-server-2.0 packages held these days ? from previous list posts they were here, but I cant find them now ipa-server-2.0.0-16.el6.x86_64 Red Hat Enterprise Linux

Re: [Freeipa-users] Disk layout - requirements

eipa-users-boun...@redhat.com] on behalf of Rob Crittenden [rcrit...@redhat.com] Sent: Tuesday, 10 May 2011 3:17 a.m. To: d...@redhat.com Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Disk layout - requirements Dmitri Pal wrote: On 05/06/2011 11:58 AM, Sigbjorn Lie wrote: On 05/0

Re: [Freeipa-users] FreeIPA questions

SR wrote: I'm new to FreeIPA and this list so please forgive me for the n00b questions. I have what I think is a pretty straight-forward use for FreeIPA. We have an Active Directory environment with a few hundred users. We are starting to increase our number of Macs and need a directory solution.

Re: [Freeipa-users] failure to un-install FreeIPA

Steven Jones wrote: I logged in via ssh instead so I could get an output and the install worked without a hitch... ssh instead of what? rob :/ weird... regards Steven From: Martin Kosek [mko...@redhat.com] Sent: Tuesday, 10 May 2011 8:32 p.m.

Re: [Freeipa-users] FreeIPA for Linux desktop deployment

Steven Jones wrote: Hi, Its quite interesting that there are no real clients for ipa outside of RH/Fedorathis will probably do more to delay or restrict its adoption than anything else. nss_ldap or its equivalent exists on most operating systems. sssd, albeit a rather old one, exists in

Re: [Freeipa-users] fatal error for ipa with dns.

Steven Jones wrote: Hi, Nope looks like DNS is barfed big time... == [root@vuwunicoipamt01 ~]# host vuwunicoipamt01.unix.vuw.ac.nz vuwunicoipamt01.unix.vuw.ac.nz has address 130.195.81.236 [root@vuwunicoipamt01 ~]# ipa dns-resolve vuwunicoipamt01.unix.vuw.ac.nz ipa: ERROR: Kerb

Re: [Freeipa-users] FreeIPA for Linux desktop deployment

nasir nasir wrote: Adam, I tried to follow your recommendations with RHEL 6.1 beta on server and client machine. Centralized login and such things work. I have NFS service too working. But automount is not working. For the time being I configured my server as NFS server and created a folder /exp

Re: [Freeipa-users] FreeIPA for Linux desktop deployment

Sigbjorn Lie wrote: On 05/11/2011 09:25 PM, JR Aquino wrote: On May 11, 2011, at 10:51 AM, Sigbjorn Lie wrote: On Wed, May 11, 2011 14:42, Stephen Gallagher wrote: On Tue, 2011-05-10 at 23:42 +0200, Sigbjorn Lie wrote: Hi, I would like to see the ipa client scripts and possibly the admin

Re: [Freeipa-users] fatal error for ipa rhel 5.6 client

Steven Jones wrote: Any ideas with this please? [root@vuwunicoadmint2 ~]# ipa-client-install --mkhomedir --server vuwunicoipamt01 --domain unix.vuw.ac.nz -p admin Discovery was successful! Realm: UNIX.VUW.AC.NZ DNS Domain: unix.vuw.ac.nz IPA Server: vuwunicoipamt01 BaseDN: dc=unix,dc=vuw,dc=ac,

Re: [Freeipa-users] FreeIPA for Linux desktop deployment

nasir nasir wrote: Adam/Nalin, Two cases, 1) When I am testing this by manually mounting the nfs share(which is */xtra* )on the NFS server itself using the following command, * * * #mount - -t nfs4 -o sec=krb5 nfsserver.cohort.org:/ /home* I get whatever problem I described in previous mai

Re: [Freeipa-users] IPA Startup issues

Sigbjorn Lie wrote: On 05/16/2011 03:41 PM, Dmitri Pal wrote: On 05/14/2011 10:46 AM, Sigbjorn Lie wrote: I've noticed that if the machine running IPA is very busy at startup, the IPA services will not be online when the machine is started. I noticed this is as my test virtualization host has

Re: [Freeipa-users] RHEL client to IPA

Steven Jones wrote: So what should the command be? # kinit admin # ipa-getkeytab -k /tmp/vuwnicologint2.keytab -p host/vuwunicologint2.unix.vuw.ac.nz -s vuwunicoipamt01.unix.vuw.ac.nz rob regards -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-bou

Re: [Freeipa-users] How to reset the admin password

Steven Jones wrote: ? $ LDAPTLS_CACERT=/etc/ipa/ca.crt ldappasswd -ZZ -D 'cn=directory manager' -W -S uid=admin,cn=users,cn=accounts,dc=example,dc=com You'll first be prompted for the new admin password twice, then for the Directory Manager password. rob

Re: [Freeipa-users] help! IPA server she explode!

Steven Jones wrote: I have an internal ajax error! :( the logs say, [Thu May 19 09:59:35 2011] [notice] Apache/2.2.15 (Unix) DAV/2 mod_auth_kerb/5.4 mod_nss/2.2.15 NSS/3.12.9.0 mod_wsgi/3.2 Python/2.6.6 mod_perl/2.0.4 Perl/v5.10.1 configured -- resuming normal operations [Thu May 19 09:5

Re: [Freeipa-users] Unknown Client?

Tevfik Ceydeliler wrote: > Hi, > Altough I have this configuration in client .conf: > > ## > client 172.30.47.241 { >secret = 877909 >shortname = VodafonePinarsuAPNYeni1 >nastype = other > } > > client 172.30.47.242 {

Re: [Freeipa-users] Can't remove all replica records from ldap

Kim Perrin wrote: > Hello all, > > For nearly 2 years I’ve been running a Freeipa 3 (currently 3.0.0-42) > environment. We've had 2 masters since the start. Several replicas > have had problems that required me to remove them. I’ve removed them > all (except the very last one) by running ‘ipa-se

Re: [Freeipa-users] Scripting reports from ipa?

Watson, Dan wrote: > Hi all, > > > > Can anyone tell me how to script calls from the ipa server? I would like > to be able to do something like “ipa group-show unix_admin” in a script, > but I don’t know how to pass Kerberos credentials that don’t expire. I think you want to use credentials in

Re: [Freeipa-users] SSSD in redundant configuration

Craig White wrote: > *From:*freeipa-users-boun...@redhat.com > [mailto:freeipa-users-boun...@redhat.com] *On Behalf Of *Andrew Holway > *Sent:* Wednesday, March 18, 2015 9:40 AM > *To:* freeipa-users@redhat.com > *Subject:* [Freeipa-users] SSSD in redundant configuration > > > > Hello, > > >

Re: [Freeipa-users] Problems with ssh and install-uninstall-install sequence on the server

Prasun Gera wrote: > How do I confirm that there are no certs left behind and that > cert-monger isn't tracking them? I'm a bit new to all the components > used by IPA. I do see that the /root/cacert.p12 file is never deleted. Not clean but this shouldn't prevent re-install. > After an uninstall

Re: [Freeipa-users] Email address for directory admin

Giedrius Tuminauskas wrote: > Hi, > > I am curious, Is there a possibility to add email address for the > "admin" user in the IPA web UI? > In my current configuration "admin" user is a Linux system user and also > used by IPA. > I think there should be possibility to enter an email address for th

Re: [Freeipa-users] subjectAlternitiveName for webservice

have to >> worry about it, we discussed that here earlier as I remember. >> >> Or do I ? >> >> Something else; did you had a nice PTO ? >> >> 2015-03-12 15:54 GMT+01:00 Rob Crittenden : >>> Matt . wrote: >>>> Hi, >>>> >&g

Re: [Freeipa-users] revocation of a ssl certificate

Nicolas Zin wrote: > Hi, > > let say that I created a SSL certificate: > ipa service-add HTTP/www.test.lan > ipa service-add-host --hosts=ipa-server.test.lan HTTP/www.test.lan > ipa-getcert request -r -f /etc/pki/tls/certs/www.test.lan.crt -k > /etc/pki/tls/private/www.test.lan.key -N CN=www.test

Re: [Freeipa-users] Replica install fails at client install

Janelle wrote: > On 3/18/15 10:10 PM, Kim Perrin wrote: >> This is about the 6th time of tried installing this replica. Each time >> I run the ipa-replica-manage del and ipa-csreplica-manage del command >> before trying. I also build new replica install files each time. >> Obviously I can't figure

Re: [Freeipa-users] stupid question - 389-ds

Janelle wrote: > Hello again, > > Ok, probably a stupid question. If you increase cache sizes and tune > 389-ds on the backend, do those changes replicate or do you need to make > them across the other servers as well? > > For example: > > dn: cn=config,cn=ldbm database,cn=plugins,cn=config > ch

Re: [Freeipa-users] AD users not getting single sign on (Solaris)

nat...@nathanpeters.com wrote: > I have finally gotten all of my Solaris servers to accept AD users but the > behavior is inconsistent. > > In my FreeIPA domain, I can login to a Linux server and then ssh to the > Solaris server and I am automatically logged in because of my Kerberos > ticket (I a

Re: [Freeipa-users] subjectAlternitiveName for webservice

We >>>> only do some user adding/chaging stuff, nothing really fancy but it >>>> needs to be decent. As persistence comes in I think we don't have to >>>> worry about it, we discussed that here earlier as I remember. >>>> >>>> Or do

Re: [Freeipa-users] Certificate and key problems in Linux

nat...@nathanpeters.com wrote: > I have FreeIPA installed on several types of Linux machines and they are > all experiencing strange issues with certificates and host keys. > Here is the setup: > > Server : FreeIPA 4.1.2 on Centos 7 > Client 1&2 : FreeIPA 3.0.0-42.el6 with sssd 1.11.6-30.el6_6.4 o

Re: [Freeipa-users] ipa-client-install failure

Roberto Cornacchia wrote: > Indeed, id admin does not work and there is no sign of it in the log. > > From the client (with admin-tools installed): > > $ kinit admin > Password for ad...@hq.example.com : > $ ipa user-show admin > User login: admin > Last name: Adm

Re: [Freeipa-users] ipa-client-install failure

Roberto Cornacchia wrote: > Hi Rob, > > Yes, sssd is running and this is sssd.conf: > > [domain/hq.example.com ] > debug_level=9 > cache_credentials = True > krb5_store_password_if_offline = True > ipa_domain = hq.example.com > id_provider = ipa > au

Re: [Freeipa-users] Having Issues with Dogtag After Updating IPA and Rebooting

Martin Kosek wrote: > This may mean that Dogtag is not up. Can you please check with "ipactl status" > that it (pki-ca) is up and running and that there are no related SELinux AVCs? > The problem seems to be java-related: The self test plugin named selftests.container.logger.class contains a val

Re: [Freeipa-users] Adding a custom attribute to user object

Prashant Bapat wrote: > Ok the command you gave me worked. But I was following the PDF and below > command never worked. > > ipa config-mod --addattr=ipaUserObjectClasses=ApigeeUserAttr > > Is that expected ? Did you restart httpd after adding the schema? A cached copy is used and restarting wil

Re: [Freeipa-users] Adding a custom attribute to user object

05:22 PM, Prashant Bapat wrote: > > Hi Rob, > > > > Yes I did restart it. > > > > Ok another problem. I'm not able to add this attr to existing > users. Only > > the new ones. Any pointers ? > > > >

Re: [Freeipa-users] how can i give set of users to one particular host

Dmitri Pal wrote: > On 03/24/2015 01:15 PM, Ben .T.George wrote: >> Hi >> >> current stage is AD users can able to login to solaris box. But i >> don't up to what level i can control the user. >> >> i don't think to there is much pan modules in solaris. still i cannot >> able to make home directory

Re: [Freeipa-users] how can i give set of users to one particular host

happy to add it to the freeIPA wiki. rob > > On Tue, Mar 24, 2015 at 9:03 PM, Rob Crittenden <mailto:rcrit...@redhat.com>> wrote: > > Dmitri Pal wrote: > > On 03/24/2015 01:15 PM, Ben .T.George wrote: > >> Hi > >> > >>

Re: [Freeipa-users] ID Range question

Janelle wrote: > Hello, > > I have seen this pop up a few times, but no real answers - at least none > that I am finding.. > > I have not run into it and this was a brand new server farm with about > 4000 migrated users from OpenLDAP? Is there something I might be missing > when migrating? > > i

Re: [Freeipa-users] Requesting a cert for a user as opposed to a service.

Steve (st33v) Neuharth wrote: > Hello, > > I hope this is an easy question to answer and forgive me if it has been > answered before. I’ve read through the documentation on how to request an ssl > cert and I cannot seem to find a process to request a client cert for a user. > > It seems that a

Re: [Freeipa-users] Is systemd really a requirement for freeipa 4.x?

Coy Hile wrote: > When I look at the SPEC file for freeipa-4.1.3, I see requirements > around Systemd. Is that really a hard requirement, or is it possible to > run newer FreeIPA (that is to say 4.x) on a host that hasn't been > infested by systemd (such as CentOS 6, for example)? At the moment,

Re: [Freeipa-users] Fw: Need to replace cert for ipa servers

u,u,u > > > Showing that the IPA Dogtag cert is now listed whereas it was not > previously. > > > > *From:* sipazzo > *To:* Rob Crittenden ; "freeipa-users@redhat.com" > > *Sent:

Re: [Freeipa-users] Ubuntu sssd client -- FreeIPA Server fed from AD

Gonzalo Fernandez Ordas wrote: > Exactly the document i was having a look at. > In simple words,is possible to work this around and how,? > Otherwise i have to drop freeipa and get back to 389_ds as still seems > fully ldap sssd compatible. > > Have you got any doc clearly stating how to get this

Re: [Freeipa-users] Not able to SSH with User Created in IPA Server

Yogesh Sharma wrote: > Hi, > > We are getting error while trying to ssh using users created in IPA server. > > root@yogesh-ubuntu-pc:~# ssh -vvv cm8158@52.74.84.94 You don't have a Kerberos ticket and you don't have ssh keys for this user. kinit cm8158 first or get the ssh keys. You'll need to

Re: [Freeipa-users] subjectAlternitiveName for webservice

Matt . wrote: > When digging around I see this documentation: > > http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/load-balancing.html > > I would except that server.example.com is not going to be accepted by > IPA when you visit the webgui like that ? These are SRV records for t

Re: [Freeipa-users] subjectAlternitiveName for webservice

httpd. Note that this doesn't solve the Kerberos problem so cli access will still not work as expected. The UI _might_ work using forms-based authentication. I'd strongly urge you to think about the top of this e-mail before proceeding onto the bottom. rob > > Cheers, > >

Re: [Freeipa-users] ipa-client-install failing on new ipa-server

Anthony Lanni wrote: > I'm referring to the host certificate; I was looking at the web UI, > under Identity->Hosts in the server details page. The Host Certificate > section says 'No Valid Certificate'. > The server has a /etc/krb5.keytab file, and on the same page the > Enrollment section says 'Ke

Re: [Freeipa-users] Understanding the migration mode

Prasun Gera wrote: > Yes, that is right. I added the users with ipa user-add [username] > --setattr userpassword={crypt}yourencryptedpass > > Actually, the authentication does work for the users added this way. > i.e. Without making any changes to NIS clients. I just repurposed the > NIS server to

Re: [Freeipa-users] Understanding the migration mode

Prasun Gera wrote: > > The passwords will only show if they are in {crypt} format. If the > password is changed in IPA it will use the default 389-ds password > scheme which is a salted SHA. > > > Yes, that's right. If the password is changed in IPA afterwards, it will > stop working

Re: [Freeipa-users] subjectAlternitiveName for webservice

need to request your new cert with TWO names: the host name and the alternate name. That should make the cert work anyway. rob > > > > 2015-03-26 16:48 GMT+01:00 Rob Crittenden : >> Matt . wrote: >>> HI Rob, >>> >>> Yes something is wrong there I g

Re: [Freeipa-users] How to add 'generic' service?

Coy Hile wrote: > I’m rebuilding my existing heimdal realm using FreeIPA, and right now I’m > having difficulty creating the service principal afs/realm-name@REALM. When I > use ipa service-add, I get output thusly: > > [root@ipa-us-east-2 ~]# ipa service-add afs/coyhile@coyhile.com > ipa: E

<    1   2   3   4   5   6   7   8   9   10   >