CEPTION (Invalid Credential.)"
> As I said before though, I can use this command on other systems just fine,
> it is just this one system that it is failing on.
>
> Thanks,
> Sara Kline
>
>
> -Original Message-
> From: Simo Sorce [mailto:s...@redhat.com]
&g
just be a manual setup now.
>
> Thanks,
> Sara Kline
Can you please provide the command you are running to re-join the
machine ?
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
rk
> Services.
> Any unauthorised review, use, disclosure or distribution is prohibited. If you
> are not the intended recipient, please contact the sender by reply e-mail and
> destroy all copies of the original message.
>
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
On Tue, 2012-07-31 at 21:08 +0200, Sigbjorn Lie wrote:
> On 07/31/2012 01:50 PM, Simo Sorce wrote:
> > On Tue, 2012-07-31 at 10:50 +0200, Sigbjorn Lie wrote:
> >> On Tue, July 31, 2012 10:20, Petr Spacek wrote:
> >>> On 07/30/2012 10:37 PM, Sigbj
e:
> > http://oprofile.sourceforge.net/doc/overview.html#getting-started
> >
> >
> > Nice article with theory && examples:
> > http://people.redhat.com/wcohen/Oprofile.pdf
> >
> >
> > Homepage with a lot of
t wrong in updating the
DNS schema where we added a few attributes to allow zone transfers.
Can you check the ipaserver-upgrade.log file and see if there are any
errors in there ?
Simo.
> Regards,
>
> Robert..
>
>
> On 27 July 2012 17:29, Simo Sorce wrote:
> On Thu
not created. Has
> any one ever encountered such a problem if so what needs to be done to
> resolve it ?
>
>
> IPA server version 2.1.3. API version 2.13
>
Was this server upgraded from a 2.0.x one ?
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
ry in Firefox and even closing all
> instances of Firefox and restarting see me looged back in as my adm account...
>
> So what do I need to do to flush? reboot my workstation?
logout or manually run kdestroy
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
. It shouldn't be related to time issues, in that case you
usually get clock-skew.
Can you tell me what operation was being performed by sssd when you
caught that error ?
Can you check if immediately before another identical operation had been
performed ?
Simo.
--
Simo Sorce * Red Hat, In
'oracle' directly).
Note you can also allow sudo -i which gives you an interactive shell
just like su - would, but you can control sudo configuration centrally.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
let ipa choose
IDs unless you have a constraint that prevents you from letting that
happen.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
On Tue, 2012-07-17 at 22:06 +, Steven Jones wrote:
> Can I get this clarified as I am getting really confused,
>
> Can I do this in/via IPA or not?
>
> Yes or no I think will suffice.
Not using 'su', but you can using sudo as explained in other messages.
Simo.
This was probably meant for thew freeipa-users mailing list.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--- Begin Message ---
>
> sudo -i su - oracle
No, you would run "sudo -i oracle". -i = simulate initial login.
Alternately, you can use sudo -s oracle for "run
If an admin logins in I want them to be able to su - anybody...
>
> In a way before I could do that with the wheel group and pam.
I think you want to look at sudo -i
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
t; I've traced the
> >> unindexed searches back to the time of Web UI access and they don't
> >> match. I also don't see any other obvious errors when running
> >> logconv.pl.
> >>
> >> One strange thing I have noticed is that the 389 server logs seem to
> >> update in "spurts". If I'm tailing the logs while I access a Web UI
> >> page, there is nothing, then a couple of seconds later, I see the logs
> >> quickly scroll with new entires. Has this always been the case? I
> >> don't seem to remember this before.
> >
> > Yes. The 389 access log is buffered, for performance reasons.
>
> Just thought it might be relevant. I'm not sure what is causing the
> extreme slowness. I've also shut off memcached and tried without it
> with no discernible difference. The directory seems to be handling the
> load of external queries just fine, although I'm not sure I've solved
> the memory issue--I'm still testing with the compat plugin disabled to
> see if I can stop the memory creep. Maybe it's something in the code
> of the Web UI itself as its even slow when changing from page to page
> of users and hosts.
Looks like the symptoms of not using session cookies.
Do you see constant activity getting tickets for ldap/ipa.server.fqdn in
the krb5kdc.log ?
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
er
>
> Link to page is :
> http://freeipa.org/page/YubiRadius_integration_with_group-validated_FreeIPA_Users_using_LDAPS
>
>
> Have a great weekend all.
Thanks Dale,
great stuff.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa
er of entries in the zone is large and
> there are a many updates per day and I was uncertain of the type of
> performance I could expect.
Unfortunately slaving is not supported at the moment, but just out of
curiosity what is the ballpark number for "many updates" ?
Simo.
--
On Thu, 2012-07-12 at 15:14 -0400, Qing Chang wrote:
>
> On 11/07/2012 5:46 PM, Dmitri Pal wrote:
> > On 07/11/2012 04:01 PM, Qing Chang wrote:
> > >
> > > On 11/07/2012 3:23 PM, Simo Sorce wrote:
> > > > On Wed, 2012-07-11 at 15:21 -0400, Qing Chang w
amba group unless you turn it into a posix groups first.
however also keep in mind we discourage using ipausers as a posix group
for performance reasons in domain with many users and recommend instead
to create smaller targeted groups.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
n use kadmin.local on a pre-existing principal to obtain a
new keytab.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
done with a standalone Kerberos KDC?
you can use the --force flag to force the creation of an arbitrary
service principal.
> Again, you don't have to use the IPA tools. You can use the Kerberos
> server tools.
Using kadmin.local is really not recommended
s3-hmac-sha1:special
> krbDefaultEncSaltTypes: arcfour-hmac:special
> =
>
> As I mentioned, I can create keytabs with des-cbc-crc:normal and
> des-cbc-crc:afs3,
> but not with des-cbc-crc:v4, which is what OpenAFS uses.
>
> Qing
>
> On 11/07/2012 8:28 AM, Simo Sorce wr
t like them.
You need to change the supported enc types in LDAP for ipa to care.
these attributes are in the cn=REALM_NAME,cn=kerberos,$suffix entry in
ldap.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
a should allow you to log in using the ipa
password.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
ice_Controller_Daemon#Configuration_Store
>
Also we still keep serving users out of the sssd cache as long as
sssd_nss process is running.
And with the memory cache we have in 1.9.0 you may still get users from
the cache directly even if the whole sssd dies.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
world readable for example, and they should
always be transmitted securely (either enveloped in a gpg file or copied
using scp/sftp or similar methods that ensure the communication is
encrypted.
The best way to ensure keys are properly handled is to retrieve them
directly on the target machine, and only th
rewrite the file it appends the new
keys there, which is what you want.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
ce, but that would also
prevent password changes, if that's a limitation you can live with then
you could decide to expose only port 88.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
htt
t the documentation should be
good enough to sort out what you need to do.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
ks, then we can see how we get from there.
>
> I already appreciate you take this seriously. Thanks!
Hi Naxto,
take a look at the freeipa-devel list,
William Brown is working on basic integration and has sent a few mails,
where he points at a git tree with some work.
Maybe you can coordinate to do
On Mon, 2012-06-25 at 15:39 -0400, Dmitri Pal wrote:
> On 06/25/2012 02:36 PM, Simo Sorce wrote:
> > On Mon, 2012-06-25 at 13:51 -0400, Dmitri Pal wrote:
> >> Simo are you sure simple bind is enough? I thought that it should be a
> >> bind over SSL with some specific e
portant, SASL/PLAIN is almost never used.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
d
when gdm restart.
A reboot fixed it for me.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
edback:
>
> http://freeipa.org/page/Libvirt_with_VNC_Consoles
>
> Kind regards,
James,
excellent write up.
Thanks a lot!
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
ify commands with a very simple template
ldif and a couple substitutions.
However this is a possible solution.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
n ldap bind that sends a clear text password. While in
migration mode, a bind will check if the password is valid, and if it is
it will generate the kerberos keys out of it.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users
On Tue, 2012-06-19 at 23:37 +0200, Sigbjorn Lie wrote:
> Hi,
>
> Does a users kerberos tickets become invalid after a restart of the KDC
> who granted the tickets?
No, tickets are encrypted with long term keys.
Simo.
--
Simo Sorce * Red Hat, In
On Wed, 2012-06-20 at 10:01 +0100, Darran Lofthouse wrote:
> On 06/19/2012 07:12 PM, Stephen Ingram wrote:
> > On Tue, Jun 19, 2012 at 9:55 AM, Simo Sorce wrote:
> >> On Tue, 2012-06-19 at 09:15 -0700, Stephen Ingram wrote:
> >>> On Tue, Jun 19, 2012 at 2:54 AM, Dmit
.org/page/Apache_SNI_With_Kerberos
Very nice writeup!
I see you use mod_ssl, can this configuration be obtained with mod_nss
as well ?
I was going to try it but on an ipa server we use mod_nss and would like
to avoid having to find out how to reconfigure stuff to use mod_ssl.
Simo.
--
Si
then will be able to get a copy of
> the keytab for the user with ipa-getkeytab. I tried it out because the
> thought of not being able to get a keytab for a user was concerning. I
> agree that the service keytabs make more sense for these instances (I
> was also told this by Simo in anot
On Tue, 2012-06-19 at 09:28 -0700, Stephen Ingram wrote:
> On Fri, Jun 15, 2012 at 6:09 AM, Simo Sorce wrote:
> > On Fri, 2012-06-15 at 00:10 -0700, Stephen Ingram wrote:
> >> Is it possible for accounts in cn=etc,cn=sysaccounts to have kerberos
> >> principals or must
tion from the windows domain admins.
w/o that collaboration there isn't much you can really do in any case.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
y set up a two way trust
but the windows admins would certainly be able to delete the outgoing
trust right after it is created, it should cause trouble for win users
that want to access ipa hosts.
We may take an RFE about creating only a one way trust, but it won't be
there by 3.0
e
able to initiate just fine.
HTH,
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
already have conventions for the principal name (for
example HTTP/fqdn@REALM for http servers).
If your scripts are arbitrary you may decide to create your own script
principal (useful if you want to assign special ACIs to it in IPA as you
can reference the service account under cn=services in ACIs
>
> > I will appreciate any help.
> >
Hi Maciej,
what kind of schema is in used in the server you want to migrate from ?
rfc2309/rfc2309bis ? other ?
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
users is replicated to that branch replica. But these
are future plans, it will take a few minor versions after 3.0 at least.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
rly set up (or /etc/hosts entries) for all
the servers.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
t a fix right now, not for my setup anyway.
Please provide DS logs, if you are having replication errors they should
show up in the logs.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
u run a
ipa-replica-manage del
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
> As a test, I tried to set the '-needchange' attribute using kadmin but
> that returned "... Insufficient access while modifying..."
This is not controlled by kadmin.
>
> I grepped the mailing list archives / API.txt / source code / etc. for
> clues but without succe
ven't experienced any KDC failure in ages here.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
ts to go with the document as well, however they aren't
> uploading correctly at presents. I will upload when I can.
>
> Let me know what you think.
>
> Hoo roo for now.
Thanks Dale, I ixed a bug in the ldif used to create the zimbra system
account u
On Thu, 2012-05-31 at 15:13 +0100, Dale Macartney wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
>
>
> On 31/05/12 15:10, Simo Sorce wrote:
> > On Thu, 2012-05-31 at 07:55 +0100, Dale Macartney wrote:
> >>
> >> -BEG
acle.com/technetwork/java/javase/downloads/jce-7-download-432124.html
Apparently AES is not fully supported unless you have the JCE which is
not distributed by default due to restrictions on export as far as I can
understand.
If you prefer to restrict
In the very latest code they also fixed using Negotiate auth to login
using Kerberos against the Web interface even when their proxy is being
used, so now all components of Zimbra should be usable with krb auth.
This means a properly configured Browser/MUA should be able to do full
SSO aut
there another solution to this?
You will need to add a new range.
See 5.4.2. Adding New Ranges here:
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html-single/Identity_Management_Guide/index.html
>
> Thanks - any help would be appreciated!
>
--
Simo Sorce * Red Hat, Inc * New York
nt to check that this user is properly set according to this
page: http://www.freeipa.org/page/PasswordSynchronization
I think we do hat automatically when the agreement is created, but
checking won't hurt.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
On Wed, 2012-05-16 at 15:08 -0700, Thomas Jackson wrote:
>
>
> On Tue, May 15, 2012 at 3:24 PM, Simo Sorce wrote:
> On Tue, 2012-05-15 at 14:21 -0700, Thomas Jackson wrote:
> > So going through the documentation it's clearly laid out not
> to
o you have when trying to make this change?
>
> The error is coming from 389-ds, not from the KDC ACLs.
>
> For whatever it's worth I tried this in 2.2.0 and it worked.
In 2.2 we do not restrict kadmin/kdc as much as we did in < 2.1
Simo.
--
Simo Sorce * Red Hat, Inc * New
UI will
not report you anything about it.
The flags part is still a weak point of the Web UI, if you want you can
open a RFE ticket to ask for better support for these flags, we need to
do it at some point we simply haven't yet as we concentrated on more
important and pressing issue this far.
S
assume the user does not have
a kerberos ticket, so spengo fails to find valid credentials for any of
the supported mechs and punts.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
symlink:
> $ mkdir /tmp/gconfd-somebody/lock
> $ cd /tmp/gconfd-somebody
> $ ln -s /tmp/gconfd-craig/lock/ior
I am going to assume you are using 32bit versions of Adobe Acrobat and
Firefox. In this case you need to install also the 32bit version of the
sssd-client package.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Trusts with AD.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
t; >>>>You could do this as admin if you have a ticket so that you don't have
> > >>>>to enter the directory manager password.
> > >>>
> > >>>This is great, thanks Dan.
> > >>>
> > >>>BTW the equivalent com
gt; of proxy?
Not really, your best bet in that situation is cross realm trust support
schedule for the next FreeIPA version.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.co
; -W -h $IPA_SERVER -p 389 -vv
> >>>> -f update_krbpasswordexpiration.ldif
> >>>>
> >>>> Where the update_krbpasswordexpiration.ldif file contains:
> >>>>
> >>>> dn: uid=$USERNAME,cn=users,cn=accounts,dc=example,dc=com
> >
ly be cleared with a restart for now.
I am opening a ticket to try to handle that automatically in 389ds, but
for now you have to go that route.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
m guessing what happened was I got bit by BZ 675742 or similar before
> or after the upgrade but never noticed b/c I haven't used the cert
> system until now. Maybe whatever the fix for this bug was should be
> revisited, or the upgrade process should mak
at password change time, if you want to
change the password expiration time of a specific user w/o forcing a
password change then you need to change the krbPasswordExpiration
attribute on the user.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
help. Thanks.
Due to the way kerberos ticket are built you need to restart the master
this replica was replicating to before you rebuild a replica with the
exact same name.
This is because krb tickets are cached but you will change the long term
key with a full reinstall, so the current master wil
thing else to 'exampleGroup'? what's the
> immediately and potential effect on adjustment? Thanks.
>
See above.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
ay be considered a bug, but it is that way for
historical reasons I think.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
;s basically a matter of evaluating if you can live with letting other
services see the user's password or not.
In future we want to add auth mechanisms that do not necessarily depend
on Kerberos and will not expose the user password to random services,
like O
On Fri, 2012-05-04 at 17:14 +0200, David Juran wrote:
> On fre, 2012-05-04 at 10:52 -0400, Simo Sorce wrote:
>
> >
> > please run:
> > rpm -qa |grep cyrus-sasl
>
> root@zlin2011:/var/log/dirsrv/slapd-SRV-VOLVO-COM# rpm -qa |grep cyrus-sasl
> cyrus-sasl-lib-2.1
On Fri, 2012-05-04 at 16:44 +0200, David Juran wrote:
> On fre, 2012-05-04 at 10:25 -0400, Simo Sorce wrote:
> > On Fri, 2012-05-04 at 16:04 +0200, David Juran wrote:
> > >
> > > [04/May/2012:15:22:27 +0200] conn=8 fd=66 slot=66 connection from
> > > local to
you lacking sasl dependencies in 389 by chance ?
not sure that's the casuse though, as IIRC 2.1 used simple binds.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
how IPA breaks in that case ?
Is this after IPA is fully installed ? Or does the installer fail ?
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
o have a separate infrastructure for network gear if you like
and still be able to authenticate from one realm to the other.
IPA-IPA cross realm is not fully tabled yet, it will come after our
first stab at AD-IPA cross realm trust support.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
en caused
> the MIT Kerberos server to crash then Samba was running in domain mode
> on the same box, Honestly I still don't trust MIT's implementation in
> a mission critical environment,
MIT Kerberos libraries are thread safe, this has been the case for a
long while now. If you have spe
I did not look at the KDC logs. And yes, I did try to limit the enc
> types to 3des and below, it still did not work.
Depending on how this was done it may be the issue.
> I will have to visit this again later.
Ok, let me know if we can help somehow.
Simo.
--
Simo Sorce *
This
> seem to be an issue in
> Solaris 11. It could be a configuration error, I just haven't had time to
> look into it yet. We do
> not use Solaris 11 in production as per today.
Do you see anything special on the KDC side when you get that error in
the console ?
Do you play with enctypes when you obtain the system keytab ?
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
system will be more responsive when many clients hit it using a mix
of protocols (LDAP, KRB, DNS).
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
safe to take a backup of the master while "hot", then
> restore a replica, and promote it to master using the "hot" backup of
> the master (just the specific CA files needed)?
If you are using the dogtag CA it wouldn't as it uses a DS instance as
is not allowing you to delete that entry you want to delete and then
you should be able to clean up stuff trhough the CLI or the WebUI tools.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
tachments are
> confidential and meant only for use by the intended recipient(s);
> disclosure or copying is strictly prohibited. If you are not
> addressed, but in the possession of this e-mail, please notify the
> sender immediately and delete the document.
>
> ___
> Freeipa-users mailing
not work with kerberos authentication as the client
will not have the right name to get a ticket against, and, if I
understand the scenario, it will not even have access to the KDC to get
a ticket from.
Once 2.2 is released and form-based auth will be available you should be
able to make it work with that.
On Thu, 2012-03-29 at 20:43 +0200, Natxo Asenjo wrote:
>
> On Thu, Mar 29, 2012 at 8:25 PM, Simo Sorce wrote:
> Your configuration looks right, but I went back and looked at
> your logs
> and I saw a permission denied error.
>
> I
On Thu, 2012-03-29 at 08:58 +0200, Natxo Asenjo wrote:
> On Wed, Mar 28, 2012 at 11:36 PM, Simo Sorce wrote:
>
>
> CNAMEs should work just fine with the host's HTTP/A-name@REALM
> key.
> In fact I just tested a virtual host o
> You should be able to add a host entry for the vhost, perhaps with the
> --force flag to let it add w/o a DNS A record. Then you should be able
> to create the service.
This shouldn't be necessary unless the vhost uses an A name, but then
you need a key for each vhost, w
uration ?
Also what browser are you testing with ?
If you kdestroy and then kinit clean, and then try to access the server
*only* using the CNAME you should see the browser has acquired a ticket
for HTTP/A-name, You can use klist to verify. If this works you know it
is a server side issue onl
On Wed, 2012-03-28 at 20:12 +, Steven Jones wrote:
> Hi,
>
> That is cool, but I have not read that anywhere, can we get that bit written
> into the passsync section? or have I missed it?
This may shed some light:
http://freeipa.org/page/PasswordSynchronization
Simo.
--
Simo
ou do that with IPA
passsync uses a user to save passwords in IPA, all you need to do is to
make sure that user is one of the passsync managers. When you do that
password policy is not enforced at all and the password is taken in as
is w/o any check.
Simo.
--
Simo Sorce * Red Hat, Inc * N
.
If you delete the admin user you will completely break your FreeIPA
server. Just FYI.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
On Mon, 2012-03-19 at 14:57 -0400, Rob Crittenden wrote:
> Simo Sorce wrote:
> > On Mon, 2012-03-19 at 11:47 -0500, David wrote:
> >> After upgrading the IPA server on a Fedora 15 host to
> >> freeipa-server-2.1.4-3.fc15.x86_64 along with the LDAP dependency of
>
On Mon, 2012-03-19 at 12:36 -0400, Simo Sorce wrote:
> On Mon, 2012-03-19 at 14:46 +0100, Marco Pizzoli wrote:
> >
> >
> > On Mon, Mar 19, 2012 at 2:32 PM, Simo Sorce wrote:
> > On Mon, 2012-03-19 at 13:51 +0100, Marco Pizzoli wrote:
> > >
s to be done to
> correct it?
What 389ds version did you upgrad from (yum history can tell you).
We have just had another thread with a user that upgraded from a alpha
release of 389ds that should have not been used in production.
Se the thread named: [Freeipa-users] (no subject)
(yeah not a gre
On Mon, 2012-03-19 at 14:46 +0100, Marco Pizzoli wrote:
>
>
> On Mon, Mar 19, 2012 at 2:32 PM, Simo Sorce wrote:
> On Mon, 2012-03-19 at 13:51 +0100, Marco Pizzoli wrote:
> >
> > In attachment. You can find only one, but all of them
cn=schema' 'objectClasses'
No need to attach everything return, just edit the result and attach
only the results for your calsses.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
ht
Please open tickets for both issues.
>
>
> Done:
> https://fedorahosted.org/freeipa/ticket/2547
> https://fedorahosted.org/freeipa/ticket/2546
>
> Do you have a hint on how to manage to do this import in the meantime?
> Every manual step is ok fo
501 - 600 of 896 matches
Mail list logo