[Freeipa-users] RHEL7 rc 64bit

Hi, Would it be expected that a RHEL7rc machine would be connectible to IPA on RHEL6.5? Just tried and it doesnt seem to be. regards Steven Jones Technical Specialist - Linux RHCE Victoria University ITS, Level 8 Rankin Brown Building, Wellington, NZ 6012 0064 4 463 6272

Re: [Freeipa-users] RHEL7 rc 64bit

Hi, Problem between keyboard and chair. When joining to the domain I missed a - infront of mkhomedir so doesnt create home directories and hence the gui bombs. regards Steven Jones Technical Specialist - Linux RHCE Victoria University ITS, Level 8 Rankin Brown Building, Wellington, NZ

[Freeipa-users] Biasing which master clients talk to first

Hi, We have a master at our DR site which is further way than our 2 local masters, is there a way (in DNS say) that we could encourage clients to use the closer IPA masters? eg host -t SRV _ldap._tcp.ods.vuw.ac.nz _ldap._tcp.ods.vuw.ac.nz has SRV record 0 100 389 serveripa3

Re: [Freeipa-users] Integrating with Smart Cards

Hi, We want to use 2FA tokens and cant because of a Kerberos issue. I assume if this hasnt been upgraded yet that you cant get the passthrough? I'll we interested to know if that is now not the case or at least an idea when it will be GA. regards Steven Jones Technical Specialist - Linux

[Freeipa-users] RHEL7 IPA servers

Hi, Any thoughts / issues on upgrading RHEL6.5 IPA servers to RHEL7 when it comes out? ie from the process of doing it, mixing issues ie 1 RHEL7 master with 2 x 6.5 masters? new capabilities making it a must have? that wont be on 6.5? regards Steven Jones Technical Specialist - Linux RHCE

[Freeipa-users] winsync failure

== [vuwunicoipam002.ods.vuw.ac.nz] reports: Update failed! Status: [-1 Total update abortedLDAP error: Can't contact LDAP server] Failed to start replication == Any ideas why please? it looked like it transferred about 1900 odd records then bombed out. regards Steven Jones

Re: [Freeipa-users] winsync failure

Hi, Thanks that confirms my thought as well. In a cloned test environment the sync took 25mins, in 2 hours I got 2000 out of 8000 records, so something was very slow. So the only change/variable is the network. regards Steven Jones Technical Specialist - Linux RHCE Victoria University ITS

[Freeipa-users] IPA compatibility to win2k12r2

Hi, We are currently on win2k3r2 and are upgrading to win2k12R2, is IPA compatible with win2k12r2? Anything to watch out for? regards Steven ___ Freeipa-users mailing list Freeipa-users@redhat.com

Re: [Freeipa-users] IPA compatibility to win2k12r2

Hi, Both, but especially the former. RHEL6.5 documentation seems to only talk about win2k8. regards Steven Jones Technical Specialist - Linux RHCE Victoria University ITS, Level 8 Rankin Brown Building, Wellington, NZ 6012 0064 4 463 6272 From

Re: [Freeipa-users] IPA compatibility to win2k12r2

Hi While Im sure it works, bitter experience has taught me that I am not going to deploy anything in Production that doesnt have full vendor support, especially IPA. So until win2k12r2 is supported, I wont touch it. regards Steven Jones Technical Specialist - Linux RHCE Victoria University

[Freeipa-users] Setting up IPA to log remotely

Is there a way to get IPA to send its logs remotely? regards Steven ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Setting up IPA to log remotely

From: Rob Crittenden rcrit...@redhat.com Sent: Tuesday, 3 June 2014 9:27 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Setting up IPA to log remotely Steven Jones wrote: Is there a way to get IPA to send its logs remotely? We intend to do something like

[Freeipa-users] State of play with 2FA and Kerberos please?

Hi, I posted a while back (1 year?) on making IPA work with 2FA. If I recall correctly there is or was a problem with Kerberos passing through? the 2FA and FreeIPA was waiting on a Kerberos update/fix? Has this been done for IPA on REDHAT6.5? or is it still sometime in the future? if so

Re: [Freeipa-users] State of play with 2FA and Kerberos please?

Hi, Apparently RHEL7 has limited 2FA? Is there any documentation on what it can do at present in RHEL7 please? regards Steven Jones Technical Specialist - Linux RHCE Victoria University ITS, Level 8 Rankin Brown Building, Wellington, NZ 6012 0064 4 463 6272

Re: [Freeipa-users] State of play with 2FA and Kerberos please?

Hi, Thanks, presumably 6~12months away, maybe even 2+ years aka RHEL8 :( regards Steven Jones Technical Specialist - Linux RHCE Victoria University ITS, Level 8 Rankin Brown Building, Wellington, NZ 6012 0064 4 463 6272 From: freeipa-users-boun

Re: [Freeipa-users] Minimum Disk Size

I would suggest, 1 x 3ghz CPU, 2gb of ram and around 80gb disk space. To give you an idea of a small IPA server to see what is used, Though note the recommendation is for root and /usr to now be one partition and /boot should probably be a bit bigger, say 400mb. === -bash-4.1$ df -h

Re: [Freeipa-users] sssd compatibility with older RHEL 6 minor releases.

Hi, Not knowing your specific circumstance but my experience over the last decade plus would be keep the RHEL, Debian/Ubuntu and Solaris servers up to date all the time, or at least 1~2 months behind max. eg we clone off RHEL channels into testing channels and patch then clone production

[Freeipa-users] IPA with OTP

Hi, Any docs for RHEL7.1 for his? regards Steven -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] DNS Design for FreeIPA4

Hi, KISS keep it simple and stupid. What we do is, AD domain is domain.com and does all its own DNS and Kerberos, all windows machines point at it etc IPA domain is ipa.domain.com and all IPA's and indeed all Linux servers point at IPA for everything incl NTP. IPA servers use the AD

Re: [Freeipa-users] RFEs

Hi, As an user, i'm part of the FOO.EXAMPLE.COM FreeIPA domain and i want to connect to some hosts in BAR.EXAMPLE.COM FreeIPA. This is on the radar though I couldn't find an open ticket on it. It isn't something for the very near-term though AFAIK. I will open a ticket via support as it is

Re: [Freeipa-users] question about Active Directory authentication

on behalf of Dmitri Pal d...@redhat.com Sent: Wednesday, 18 February 2015 11:51 a.m. To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] question about Active Directory authentication On 02/17/2015 05:21 PM, Steven Jones wrote: ***maybe*** c) You might be able to do both winsync and trusts

Re: [Freeipa-users] trying to get a RHEL7.1 beta second master into a RHEL6.6 cluster so I can upgrade.

=*) # requesting: ALL # # search result search: 4 result: 32 No such object # numResponses: 1 regards Steven From: Rob Crittenden rcrit...@redhat.com Sent: Tuesday, 17 February 2015 10:59 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa

Re: [Freeipa-users] trying to get a RHEL7.1 beta second master into a RHEL6.6 cluster so I can upgrade.

Hi, I have no idea how. regards Steven From: Rob Crittenden rcrit...@redhat.com Sent: Tuesday, 17 February 2015 10:40 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] trying to get a RHEL7.1 beta second master

Re: [Freeipa-users] question about Active Directory authentication

I have been informed that all computer users on our campus must now authenticate off of the University's Active Directory server, including all Linux machines. dictated by a clueless Windows * no doubt, ***sigh*** Here we are keeping both separate as AD is so bad security wise, but want

[Freeipa-users] trying to get a RHEL7.1 beta second master into a RHEL6.6 cluster so I can upgrade.

While attempting to initialise the new server I am getting, [root@xxmailto:root@vuwunicoipam001 replica-files]# ipa-replica-install --setup-dns --forwarder=10.100.32.31 --no-reverse replica-info-xxx.gpg --skip-conncheck --debug =8

Re: [Freeipa-users] trying to get a RHEL7.1 beta second master into a RHEL6.6 cluster so I can upgrade.

yep this is all double dutch to me. regards Steven From: Rob Crittenden rcrit...@redhat.com Sent: Tuesday, 17 February 2015 12:08 p.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] trying to get a RHEL7.1 beta second master

Re: [Freeipa-users] trying to get a RHEL7.1 beta second master into a RHEL6.6 cluster so I can upgrade.

= cACertificate;binary:: TUlJQ0NUQ0NBWEtnQX8--- = :( So now what? regards Steven From: Rob Crittenden rcrit...@redhat.com Sent: Tuesday, 17 February 2015 12:08 p.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa

Re: [Freeipa-users] question about Active Directory authentication

***maybe*** c) You might be able to do both winsync and trusts at the same time then that is simpler provisioning. ie a user gets created in AD and automatically gets created in IPA ready for you to put in the user group you want. I am not sure this is the best solution really. Trust and

Re: [Freeipa-users] FreeIPA and Application Specific Passwords

Hi, There is always a tradeoff between ease of use, complexity/cost and security. Looking at what you have written suggests to me that your entire system lacks a proper security / network architecture model and you are trying to enforce a policy from one point, IPA. regards Steven

Re: [Freeipa-users] OTP and cached credentials

The ability to use OTP with laptops is targeted to the 1.13 release. For my background reference, which version of RHEL will that probably be please? regards Steven -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to

Re: [Freeipa-users] Gave Up on RHEL6-7 migration, starting over. (ipa migrate-ds)

Hi, Our present IPA started on RHEL6.2 (I think) and has a self-signed cert which has the wrong encoding. I am just replacing it now, its preventing RHEL7.1 joining/working/replicating. Now I am waiting on a BZ, so upgrading to RHEL7.1 isnt easy or quick. regards Steven

[Freeipa-users] Error in replication while inserting a RHEL7.1 server into a RHEL6.6 IPA setup.

Any idea what is going on here please? == [root@vuwunicoipam004mailto:root@vuwunicoipam004 ipa-certs]# ipa-replica-install --setup-dns --forwarder=10.100.32.31 -U replica-info-vuwunicoipam004.ods.vuw.ac.nz.gpg --skip-conncheck Checking forwarders, please wait ... WARNING: DNS

Re: [Freeipa-users] Error in replication while inserting a RHEL7.1 server into a RHEL6.6 IPA setup.

in replication while inserting a RHEL7.1 server into a RHEL6.6 IPA setup. On 03/09/2015 05:35 PM, Steven Jones wrote: Any idea what is going on here please? == [root@vuwunicoipam004mailto:root@vuwunicoipam004 ipa-certs]# ipa-replica-install --setup-dns --forwarder=10.100.32.31 -U replica

Re: [Freeipa-users] Error in replication while inserting a RHEL7.1 server into a RHEL6.6 IPA setup.

] Error in replication while inserting a RHEL7.1 server into a RHEL6.6 IPA setup. On 03/09/2015 03:35 PM, Steven Jones wrote: Any idea what is going on here please? == [root@vuwunicoipam004mailto:root@vuwunicoipam004 ipa-certs]# ipa-replica-install --setup-dns --forwarder=10.100.32.31 -U

Re: [Freeipa-users] Error in replication while inserting a RHEL7.1 server into a RHEL6.6 IPA setup.

Process finished, return code=0 Connection check OK == regards Steven From: freeipa-users-boun...@redhat.com freeipa-users-boun...@redhat.com on behalf of Steven Jones steven.jo...@vuw.ac.nz Sent: Tuesday, 10 March 2015 1:36 p.m. To: freeipa-users

Re: [Freeipa-users] IPA 4.1.0 in RHEL 7.1

-users-boun...@redhat.com on behalf of Dmitri Pal d...@redhat.com Sent: Thursday, 12 March 2015 9:07 a.m. To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] IPA 4.1.0 in RHEL 7.1 On 03/11/2015 03:49 PM, Steven Jones wrote: Hi, When I try to join a 7.1 based replica to an existing setup

Re: [Freeipa-users] Extending IPA to include multiple (say 5) fields for MAC addresses per user

multiple (say 5) fields for MAC addresses per user On 03/11/2015 03:43 PM, Steven Jones wrote: Hi, I have been asked to look at packetfence and linking it to IPA for authentication but I might need to allow users to login into their IPA info and add MAC addresses themselves, this is possible I

[Freeipa-users] Extending IPA to include multiple (say 5) fields for MAC addresses per user

Hi, I have been asked to look at packetfence and linking it to IPA for authentication but I might need to allow users to login into their IPA info and add MAC addresses themselves, this is possible I think? Since ppl these days can have 3 mobile devices, (ipad, iphone and laptop) I would

Re: [Freeipa-users] IPA 4.1.0 in RHEL 7.1

Hi, When I try to join a 7.1 based replica to an existing setup and use an AD forwarder the command complains that the AD box isnt doing DNSSEC suggesting to me it is present in 7.1? At the moment however I cant join a 7.1 based IPA server into a 6.6 based IPA cluster. Or a 7.1 client to

Re: [Freeipa-users] Migration from RHEL6 (3.0.0-42) to CentOS7 (3.3.3-28.0.1)

Hi, Currently it seems that IPA on RHEL6.6 is broken in terms of adding a RHEL7.1 replica to it. ie following the document linked to below. Should be a BZ case on it shortly via RH support (RH case number 01290601) for an updated 389 rpm for 6.6. I assume it will be the same for Centos 7.x

[Freeipa-users] Debian 7.0.8 and REHL IPA

Hi, Anyone have experience with running the sssd client (I assume its available) on Debian 7.0.8 against a RH IPA setup? Is it painless long term or best avoided? regards Steven -- Manage your subscription for the Freeipa-users mailing list:

Re: [Freeipa-users] 2-Factor and services

Hi, So pass authentication to a RSA radius server and key fobs? Looks like RHEL7.1 can do this, I am waiting for its release to do just this. regards Steven Jones B.Eng (Hons) Technical Specialist - Linux RHCE Victoria University ITS, Level 8 Rankin Brown Building, Wellington, NZ 6012

[Freeipa-users] 2012r2 AD and RHEL 7.1 IPA compatibility

Where is this at? ie is the above a supported configuration? So will passync and winsync work OK? Will trusts? Will they work together? So ideally I'd like to use winsync and passsync to provision users from AD to IPA. Then in specific low security situations use trusts to grant access.

[Freeipa-users] IPA and geographically distributed masters

Hi, Would IPA have issues if one master is one one side of the Pacific (New Zealand) and another in the USA? regards Steven J -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the

[Freeipa-users] Integrating samba 4 to AD for authentication with an IPA enabled client.

Hi, Is this possible?I am trying to find some docs to do this but they point at sssd and/or kerberos. But looking at RHEL7.1 / samba 4 it looks to me that with an IPA enabled client sssd, kerberos and ldap files/configuration are committed to IPA's use so cannot be altered? regards

[Freeipa-users] ssh key issues with IPA enabled servers

Hi, I am trying to setup ssh keys into an IPA enabled server. This refuses to work asking for a password each time. If I drop the server out of IPA the ssh keys then work. I can ssh from a non-IPA RHEL7 server to an IPA enabled server but non-IPA user fine, but when I try to go to a IPA

Re: [Freeipa-users] Correct upgrade steps for IPA server 4.1.0

Hi, IPA is a complex beast, you would be brave/foolish to upgrade it outside of the Redhat support matrix. Also I would / will wait 1~2 months before upgrading to 7.2 so any serious bugs/issues are found by someone else. regards Steven From:

Re: [Freeipa-users] Correct upgrade steps for IPA server 4.1.0

Hi, You want to move away from the IPA provided by the redhat channel? regards Steven From: freeipa-users-boun...@redhat.com on behalf of Andrey Ptashnik Sent: Tuesday, 13 October 2015 6:21 a.m. To:

[Freeipa-users] dogtag v CA less

Hi, I am trying to determine what the difference is between the 2 options above in IPA4.1 and the implications and complications are of using one or other. Also which one would be the better choice and why? Can someone explain in simple terms please? regards Steven -- Manage your

[Freeipa-users] Replacing the "master"

I have a 3 node IPA cluster, I have replaced the 2 "slaves" however when I try and remove the last one the master? it says, "[root@vuwunicoipam001 thing]# ipa-replica-manage del vuwunicoipam002. Directory Manager password: Deleting a master is irreversible. To reconnect to the remote

Re: [Freeipa-users] Replacing the "master"

Martin Kosek wrote: > On 09/04/2015 12:00 AM, Rob Crittenden wrote: >> Steven Jones wrote: >>> I have a 3 node IPA cluster, I have replaced the 2 "slaves" however when I >>> try and remove the last one the master? it says, >>> >>>

Re: [Freeipa-users] Ugrading IPA to dogtag? CA?

er 2015 1:26 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Ugrading IPA to dogtag? CA? Steven Jones wrote: > It seems I built IPA with self signed certs so I need to upgrade? is this > possible? and if so how on existing servers? I think it depends heavily on w

Re: [Freeipa-users] Replacing the "master"

as below, regards Steven 8>< But overall, there is a decent HOWTO on the migration on these pages: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/migrating-ipa-proc.html 8>< fraid not, tried it.

Re: [Freeipa-users] Ugrading IPA to dogtag? CA?

Crittenden <rcrit...@redhat.com> Sent: Wednesday, 9 September 2015 3:20 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Ugrading IPA to dogtag? CA? Steven Jones wrote: > RHEL6.7 and IPA 3.0 > > "self-signed" not understanding such termin

[Freeipa-users] Ugrading IPA to dogtag? CA?

It seems I built IPA with self signed certs so I need to upgrade? is this possible? and if so how on existing servers? regards Steven -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more

Re: [Freeipa-users] Failed to start pki-tomcatd Service

Hi, I am in a similar boat, well RHEL6.7 to RHEL7.1. I joined a RHEL7.1 / IPA4.1 to the 6.7 / IPA3.0 --self-cert domain, got rid of all the 6.7's so I was ca-less. Did a full backup on the RHEL7.1 / IPA 4.1. Blew away the ipa server, installed fresh, pki-tomcat runs, did a restore and

[Freeipa-users] attempting to restore IPA

So to restore IPA I tried, ipa-restore --data ipa-full-2015-09-10-10-28-11 and now I cannot loginopsie. The admin user password doesnt work and neither do my own accounts. NB I assume the flag --data restores the user data/HBAC rules etc? regards Steven -- Manage your

[Freeipa-users] Trying to reset the admin password and failing...

Hi, Any idea how to fix this please? [root@vuwunicoipam002 ~]# ldappasswd -ZZ -D 'cn=directory manager' -W -S uid=admin,cn=users,cn=accounts,dc=xx,dc=xxx,dc=xx,dc=xx -H ldap://vuwunicoipam002.xxx New password: Re-enter new password: ldap_start_tls: Connect error (-11)

[Freeipa-users] Limited "self" registration to IPA and an IPA group

Hi, I have a request to do limited automatic/self provisioning of users provisioning to specifc server. The idea is a lecturer would setup students into IPA and select a specific user group from a limited drop down menu. Is this possible to do such provisioning a very tied down / limited

[Freeipa-users] 3 way IPA setup

Hi, I have a 3 way IPA 4.2 setup running on Centos7.2 So ipa2 and ipa3 are replicas from ipa1. Is a replication agreement setup between 2 and 3 automatically by default? (I suspect not) how do I see this is or is not the case? This is what I have so far, == [root@glusterp2 ~]#

<    1   2   3   4   5   6