with a normal KDC but I'm having so
much trouble with IPA-KDC. Going to wipe the Win7 config and start
fresh on that system.
Not sure wht you are having trouble, the KDC component of IPA is a stock
MIT KDC with LDAP backend.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
): TGS_REQ (7 etypes
{23 -133 -128 3 1 24 -135}) 192.168.201.150: ISSUE: authtime
1316461836, etypes {rep=23 tkt=18 ses=23}, o...@pdh.csp for
host/crm1.pdh@pdh.csp
On Mon, Sep 19, 2011 at 1:32 PM, Simo Sorce s...@redhat.com wrote:
On Mon, 2011-09-19 at 13:05 -0400, Jimmy wrote
, etypes {rep=23 tkt=18 ses=23}, o...@pdh.csp for
host/crm1.pdh@pdh.csp
On Mon, Sep 19, 2011 at 1:32 PM, Simo Sorce s...@redhat.com wrote:
On Mon, 2011-09-19 at 13:05 -0400, Jimmy wrote:
Once I changed the password for 'admin' I now get this error
, etypes {rep=23 tkt=18 ses=23}, o...@pdh.csp for
host/crm1.pdh@pdh.csp
On Mon, Sep 19, 2011 at 1:32 PM, Simo Sorce s...@redhat.com wrote:
On Mon, 2011-09-19 at 13:05 -0400, Jimmy wrote:
Once I changed the password for 'admin' I now get this error
.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
a more sophisticated
mechanism in many ways, maybe we should discuss on freeipa-devel
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
are discarding
any previous key in the KDC, and only the last one is available.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
.
So you'll have to manually (or script) configure all components for now.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
name is indeed
PDH.CSP then it is probably clock skew.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
a random password.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
access to the directory
and encrypt all traffic with SSL or GSSAPI at that point.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
On Wed, 2011-09-14 at 15:08 -0400, Simo Sorce wrote:
On Wed, 2011-09-14 at 11:36 -0400, Dmitri Pal wrote:
Can Freeipa accommodate a mufti-tennant environment? i.e. I work for
a managed service provider that currently uses LDAP for authentication
for both our users and our customer's users
On Wed, 2011-09-14 at 15:19 -0400, Rob Crittenden wrote:
Simo Sorce wrote:
On Wed, 2011-09-14 at 15:08 -0400, Simo Sorce wrote:
On Wed, 2011-09-14 at 11:36 -0400, Dmitri Pal wrote:
Can Freeipa accommodate a mufti-tennant environment? i.e. I work for
a managed service provider
, then replicate again.
Just pay attention to backup things that may be only on the first master
(for example the CA if you used selfsign).
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https
a BZ? https://bugzilla.redhat.com
I assume it is on Fedora 15 right?
FWIW I think I reproduced this yesterday evening.
I will take a deeper look at it next week if it reproduces again.
It seem to happen only when multiple worker processes are in use and one
of them segfaults.
Simo.
--
Simo
a service krb5kdc restart (no need to restart the whole
ipa service for this).
If krb5kdc locks up again, gdb the process like you have done before but
do not press c, type 'bt' instead and copy the log then you can exit
gdb.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Also any chance you can attach gdb to the krb5kdc process and take a
backtrace ?
Hopefully we will find out where it is hanging.
Simo.
On Thu, 2011-09-08 at 14:04 -0400, Simo Sorce wrote:
Is the ns-slapd instance for the ipa domain running when this happens ?
Simo.
On Thu, 2011-09-08
to determine memberships. That will allow to use HBAC.
That said you can only controil HBAC stuff on freeipa-enabled servers.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com
conflict with the adtrust work if not done right, so I would
prefer to do this as part of the 3.0-Trust work.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo
, given in the
IPA case it is a primary user of the keytab for validation purposes.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
, but
you may want to use a tool to make it easier to modify LDAP records
then.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
and notifies all
interested parties automatically when you access anyone's keys.
That can be done but it is expensive, something we can plan for a the
future, but not something we can do in the short term.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
with: https://fedorahosted.org/freeipa/ticket/1560
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
dirsrv immediately upon startup.
The only case where ipactl stops dirsrv is when it fails to find
information with the ldapsearch done immediately after dirsrv starts.
Is it possible the dirsrv init script returns before dirsrv is actually
ready to serve requests ?
Simo.
--
Simo Sorce * Red Hat
- unfortunately winbind is hopelessly
broken in the last versions of Samba and none seems to care).
What is broken ? I certainly do care.
Please reply privately, as this is not the right place to discuss other
projects bugs.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
in this case to avoid problems is to
just ignore the 'non-authoritative' setting on the backend being used.
On a Samba server with LDAP the authoritative id the gidNumber. On AD
(obviously) the authoritative one is the primary group Sid, so gidNumber
is ignored.
--
Simo Sorce * Red Hat, Inc * New York
/nssdb because certmonger
can't communicate with the IPA backend.
The other option is to downgrade curl to a previously working version,
although the upgrade was supposedly a security fix and the fix was to
remove this functionality ...
Simo.
--
Simo Sorce * Red Hat, Inc * New York
.
That said if you want to use your main DNS for client, you can simply
fix issues by adding reverse records into it at least for IPA servers.
Or give the IPA machine a subnet and forward requests for that subnet
too.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
4.22.168.192.in-addr.arpa. not found: 3(NXDOMAIN)
Thanks for having a look!
Have you just recently created the 22.168.192.in-addr.arpa zone ?
One thing we still haven't addressed is that when you create new zones
you have to restart named before it will serve them.
Simo.
--
Simo Sorce * Red Hat
consequences it could have, that IPA is changing
read-only attributes in the AD?
The Full Name field is not read-only in AD.
It is exactly the attribute in which you are supposed to put the user's
Full Name.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
-Setting_up_Windows_Sync_on_the_IPA_Server
If the command didn't give you an error it is a bug, can you please open
a ticket ?
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman
On Tue, 2011-06-21 at 12:12 +0200, Adam Tkac wrote:
On 06/16/2011 09:38 PM, Loris Santamaria wrote:
El jue, 16-06-2011 a las 11:27 -0400, Simo Sorce escribió:
On Thu, 2011-06-16 at 10:31 -0430, Loris Santamaria wrote:
Hi,
I would like to use my freeIPA v2 server as my master name server
not complete, but has enough basic AD
infrastructure to work for single domain deployments, with some minor
restrictions.
Simo.
[1]
http://www.freeipa.org/page/Implementing_FreeIPA_in_a_mixed_Environment_
%28Windows/Linux%29_-_Step_by_step
--
Simo Sorce * Red Hat, Inc * New York
the 1M-2B range, so almost 10k different possible buckets.
The chance 2 installations end up getting the same bucket are very low.
owever you can always force the UID to be used at user creation by
explicitly specifying the IDs you want.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
this error, have you created a new replica package
with ipa-replica-prepare to create the second replica ?
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo
, please
open a bug against the specific distro version, feel free to assign it
to the sssd components or pam_krb5 components depending on what you are
using on the specific machine.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users
home directories at login if they are not available yet.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
, ...
then use ldapmodrdn -r cn=1211,cn=users,cn=acc. cn=username
This will rename the user properly and a plugin will take care of
renaming also the kerberos principal.
Local client caches may need some purging to properly pick up the new
value.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
: sambaSid: ...-$uid, where $uid is expanded when the user
is created.
You probably want to use the DNA plugin to generate the sambaSid for you
once you have a domain SID, it's not too difficult and will be much less
error prone.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
. Will it be rejected,
accepted?
The ipa-pwd-extop module has a list of users that can set passwords w/o
having them quality checked. The passsync user is normally one of these
users. And passwords replicated from windows are not quality checked.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
-users
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
..later logins are fine.
Steven,
so the problem is that you got a bogus warning, but it is working
properly beyond that ?
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com
On Wed, 2011-06-08 at 22:56 +, Steven Jones wrote:
Bogus except it wouldnt allow me to login unless I changed my password, yes.
Was this right after you used an administrative account to change the
user password ?
Simo.
--
Simo Sorce * Red Hat, Inc * New York
,
Simo
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
On Tue, 2011-05-31 at 02:17 +, Steven Jones wrote:
Hi,
So the docs should cover this at the least
Sorry Steve,
that's basic shell behavior, and you'll fine info in the bash man pages.
Nothing to do with the IPA commands.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
it for the web interface too at some point).
It would be awesome to get a similar writeup of how to configure it in
that case. I am sure many users would be delighted to be able to do SSO
against the mail server (ie no need to enter any password at all after
login).
Simo.
--
Simo Sorce * Red Hat
would work like in the Kerberos+openldap setup in the
school you meantion.
So it is technically possible, we simply do not yet make it easy for you
by providing wrappers.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
On Wed, 2011-05-25 at 04:23 +, Steven Jones wrote:
Can IPA do this?
Technically MIT Kerberos can do that, but we do not have any
infrastructure to properly handle trusts yet at the identity level.
Cross-Realm trusts are the focus of version 3.0
Simo.
--
Simo Sorce * Red Hat, Inc * New
, but the V2 docs currently seem
quite developer-centric, does anyone have any links for me?
Take a look at this:
http://obriend.fedorapeople.org/freeIPA2.0/Identity_and_Policy_Management_Guide/html-single/
Still a work in progress but there is a lot already.
Simo.
--
Simo Sorce * Red Hat, Inc
or in another ?
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
an apply the proper allows
as Adam suggested in the other message.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
named.conf
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
On Thu, 2011-05-19 at 01:41 +, Steven Jones wrote:
I have an internal ajax error!
:(
the logs say,
Ping me later on IRC, I'd like you to run some commands, and it will be
easier done interactively.
Simo.
___
Freeipa-users mailing list
On Wed, 2011-05-18 at 03:18 +, Steven Jones wrote:
Im getting,
SASL bind failed!
As I said earlier this is happening because you changed the admin
password with a random secret when you passed -p admin in the previous
attempt.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
On Wed, 2011-05-18 at 20:30 +, Steven Jones wrote:
Which is why I asked rob how to reset it which I didso its not
that?..at least it makes no obvious sense that it is?
Once you reset the password as Rob told you all is fine again.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
that...
It is not necessary, although I would recommend that you properly set
the ptr records at least for your servers in the DNS that is managing
your reverse zones.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users
.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
.
And also probably changed the admin password to rubbish.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
will let Adma reply to this one.
HTH,
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
by IPA. But if you wanted to setup an HTTP server that
uses the same PKI as IPA you'd have a certificate and key available.
cheers
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com
disconnect dc01.ad.nowhere.com
After re-creating the sync agreement with the win-subtree option, IPA
synced with AD successfully.
Great,
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https
-client-install in future.
Simo.
--
Simo Sorce * Red Hat, Inc. * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
--
8-
Looks like you have no host key in the keytab. That's the root of the
problem. Seems like IPA-client-install failed to populate it. Rob, do
you have any insight here?
does /var/log/ipaclient-install.log show any error ?
Simo.
--
Simo Sorce * Red Hat, Inc
as all my machines
think its NZST while the IPA master server's software might be
thinking they are telling it April? hence security certificates etc
go boom?
No, it is just a display issue in the UI, internally all software uses
unix timestamps and UTC.
Simo.
--
Simo Sorce * Red Hat, Inc * New
an ACI on the
container to give the user you want full control on that container.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
On Wed, 9 Feb 2011 16:13:39 +
Brett Maton mat...@ltresources.co.uk wrote:
I can't get a Windows 7 client to authenticate against Freeipa (ver
2.0.0.pre2) running on Fedora 14.
Brett,
can you tell me what krb5-server package do you have installed ?
Simo.
--
Simo Sorce * Red Hat, Inc
on the KDC.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
.
However we will evaluate whether integrating DHCP is something we can
do for a future release, or maybe something people are willing to
contribute.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https
the users/host/services data
by using the ipa user-add/host-add/srvice-add commands.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
On Thu, 27 Jan 2011 19:20:02 -0500
James Roman james.ro...@ssaihq.com wrote:
On 1/27/11 12:58 PM, Simo Sorce wrote:
On Wed, 2011-01-26 at 13:59 -0500, James Roman wrote:
So it looks like the replication password issue was a red herring
as far as the kerberos is concerned. I issued
was not protected against it.
In v2 we perfected the pw policies check so that the kerberos policies
covers also binds done against DS directly.
I also am adding a patch so that uid=kdc is protected in case DS policy
is enabled nonetheless for whatever reason.
Simo.
--
Simo Sorce * Red Hat, Inc
On Fri, 28 Jan 2011 17:39:14 -0500
James Roman james.ro...@ssaihq.com wrote:
On 01/28/2011 10:39 AM, Simo Sorce wrote:
Rirst of all.
I am glad this was resolved, it looked puzzling indeed.
I just want to note that we do not support using the DS password
policy in ipa as we already
On Thu, 2011-01-27 at 09:09 -0500, Uzor Ide wrote:
Hi all
How do I make admin password not to expire immediately after changing
it?
It is always set to expire even if you use kpasswd to change it ?
Simo.
--
Simo Sorce * Red Hat, Inc * New York
this assertion. I have not tried to restart the ipa
services on the working server for fera that it might stop working.
Do you see errors in /var/log/krb5kdc.log ?
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa
On Tue, 25 Jan 2011 15:58:35 -0500
James Roman james.ro...@ssaihq.com wrote:
On 1/25/11 2:44 PM, Simo Sorce wrote:
On Tue, 25 Jan 2011 14:33:14 -0500
James Romanjames.ro...@ssaihq.com wrote:
On 01/25/2011 12:42 PM, Simo Sorce wrote:
On Tue, 25 Jan 2011 12:04:25 -0500
James
,
but at the moment I do not have a test environment that lets me test
winsync replication.
Hopefully this new patch should fix the remaining regressions.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
From 5c9952b5e166dde222bc8c5433ca97480432a980 Mon Sep 17 00:00:00 2001
From: Simo Sorce sso
: DsInstance instance has no attribute 'subject_base'
I have opened ticket 807[1] to track this.
Would you be available to test a patch ?
Simo.
[1] https://fedorahosted.org/freeipa/ticket/807
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users
On Wed, 19 Jan 2011 09:28:45 -0500
Simo Sorce sso...@redhat.com wrote:
On Wed, 19 Jan 2011 12:52:54 +0530
Aravind GV aravind...@gmail.com wrote:
Hi All
Please help me in adding a synchronization agreement. I followed (
http://freeipa.org/docs/2.0.0/Installation_Deployment_Guide/en-US
dirsrv:
AGV-COM...[ OK ]
PKI-IPA...[ OK ]
*INFO:root:stderr=*
*unexpected error: 'Env' object has no attribute 'ra_plugin'*
Regards,
AGV
On Wed, Jan 19, 2011 at 8:29 PM, Simo Sorce sso...@redhat.com wrote:
On Wed, 19 Jan 2011 09:28:45 -0500
Simo Sorce sso
will be greatly appreciated
Is ipa_kpasswd running ?
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
On Tue, 07 Dec 2010 10:51:55 +0100
Thomas Sailer sai...@sailer.dynip.lugs.ch wrote:
On Mon, 2010-12-06 at 13:53 -0500, Simo Sorce wrote:
Hi Simo,
I pushed the patch in git just today :)
Your patch indeed helps :)
I've adapted it to the fc14 srpm, compiled it, and at least the extop
your data first).
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
On Mon, 06 Dec 2010 18:31:37 +0100
Thomas Sailer sai...@sailer.dynip.lugs.ch wrote:
On Mon, 2010-12-06 at 10:55 -0500, Simo Sorce wrote:
Hi Simo,
thanks for your response!
We are seeing an issue with F14 DS where it has been built against
opneldap libraries while we still have
On Mon, 06 Dec 2010 19:43:29 +0100
Thomas Sailer sai...@sailer.dynip.lugs.ch wrote:
On Mon, 2010-12-06 at 13:35 -0500, Simo Sorce wrote:
Keys are stored in ldap and asn.1 encoding is generated using ldap
libraries before storing it.
If that operation fails it may generate malformed
.
This looks like a kernel/rpc.gssd bug, I would file a ticket against
those components.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
, and should be
simply re-generated on the receiving replica when member attributes
are replicated.
Are the IPA versions on the master and the replica the same ?
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa
any IPA
controlled subtree.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
that do not use any form of nesting.
The parameter should actually probably be an integer that determines
the level of nesting we allow to search at runtime, with 0 meaning none
and any other value up to a maximum we define allowing deeper and
deeper nesting.
Simo.
--
Simo Sorce * Red Hat, Inc
of will be very helpful.
memberof is not required by rfc2307bis. Actually it is not even
mentioned by rfc2307bis, so it is our fault if we depend on it.
rfc2307bis actually mentions only uniquemember.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
reflected by the results of the 'id' command.
Ok this is the expected behavior.
Maybe the cache was corrupted?
Unlikely, maybe your SSSD went offline and wasn't able to get back
online for some reason until you restarted it ?
Simo.
--
Simo Sorce * Red Hat, Inc * New York
is cn=ipa-dna,cn=plugins,cn=config
There may be something else we found I am missing, but these 2 are
pretty fundamental things.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https
On Thu, 27 May 2010 12:27:49 -0400
Simo Sorce sso...@redhat.com wrote:
Tom,
apologies, I meant Thomas, not enough sleep I gues :/
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https
it as unconfined.
Can you check /var/log/audit/audit.log ?
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
connections, or is there more ?
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
for the first time.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
password
for both google apps *and* your company resources.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
both enabled they would
interfere, only one or the other.
The 389 memberof plugin is probably better now, as we merge all the
code we developed for ipa in there. But unless you have specific
problems you can just leave it as it is.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
back to
password auth I suggest looking at the server's logs.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
601 - 700 of 707 matches
Mail list logo