Hi,
Would it be expected that a RHEL7rc machine would be connectible to IPA on
RHEL6.5?
Just tried and it doesnt seem to be.
regards
Steven Jones
Technical Specialist - Linux RHCE
Victoria University ITS,
Level 8 Rankin Brown Building,
Wellington, NZ
6012
0064 4 463 6272
Hi,
Problem between keyboard and chair.
When joining to the domain I missed a - infront of mkhomedir so doesnt create
home directories and hence the gui bombs.
regards
Steven Jones
Technical Specialist - Linux RHCE
Victoria University ITS,
Level 8 Rankin Brown Building,
Wellington, NZ
Hi,
We have a master at our DR site which is further way than our 2 local
masters, is there a way (in DNS say) that we could encourage clients to use
the closer IPA masters?
eg
host -t SRV _ldap._tcp.ods.vuw.ac.nz
_ldap._tcp.ods.vuw.ac.nz has SRV record 0 100 389 serveripa3
Hi,
We want to use 2FA tokens and cant because of a Kerberos issue. I assume if
this hasnt been upgraded yet that you cant get the passthrough?
I'll we interested to know if that is now not the case or at least an idea when
it will be GA.
regards
Steven Jones
Technical Specialist - Linux
Hi,
Any thoughts / issues on upgrading RHEL6.5 IPA servers to RHEL7 when it comes
out?
ie from the process of doing it, mixing issues ie 1 RHEL7 master with 2 x 6.5
masters? new capabilities making it a must have? that wont be on 6.5?
regards
Steven Jones
Technical Specialist - Linux RHCE
==
[vuwunicoipam002.ods.vuw.ac.nz] reports: Update failed! Status: [-1 Total
update abortedLDAP error: Can't contact LDAP server]
Failed to start replication
==
Any ideas why please? it looked like it transferred about 1900 odd records
then bombed out.
regards
Steven Jones
Hi,
Thanks that confirms my thought as well. In a cloned test environment the sync
took 25mins, in 2 hours I got 2000 out of 8000 records, so something was very
slow. So the only change/variable is the network.
regards
Steven Jones
Technical Specialist - Linux RHCE
Victoria University ITS
Hi,
We are currently on win2k3r2 and are upgrading to win2k12R2, is IPA compatible
with win2k12r2?
Anything to watch out for?
regards
Steven
___
Freeipa-users mailing list
Freeipa-users@redhat.com
Hi,
Both, but especially the former. RHEL6.5 documentation seems to only talk
about win2k8.
regards
Steven Jones
Technical Specialist - Linux RHCE
Victoria University ITS,
Level 8 Rankin Brown Building,
Wellington, NZ
6012
0064 4 463 6272
From
Hi
While Im sure it works, bitter experience has taught me that I am not going to
deploy anything in Production that doesnt have full vendor support, especially
IPA.
So until win2k12r2 is supported, I wont touch it.
regards
Steven Jones
Technical Specialist - Linux RHCE
Victoria University
Is there a way to get IPA to send its logs remotely?
regards
Steven
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
From: Rob Crittenden rcrit...@redhat.com
Sent: Tuesday, 3 June 2014 9:27 a.m.
To: Steven Jones
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Setting up IPA to log remotely
Steven Jones wrote:
Is there a way to get IPA to send its logs remotely?
We intend to do something like
Hi,
I posted a while back (1 year?) on making IPA work with 2FA. If I recall
correctly there is or was a problem with Kerberos passing through? the 2FA and
FreeIPA was waiting on a Kerberos update/fix?
Has this been done for IPA on REDHAT6.5?
or is it still sometime in the future? if so
Hi,
Apparently RHEL7 has limited 2FA?
Is there any documentation on what it can do at present in RHEL7 please?
regards
Steven Jones
Technical Specialist - Linux RHCE
Victoria University ITS,
Level 8 Rankin Brown Building,
Wellington, NZ
6012
0064 4 463 6272
Hi,
Thanks, presumably 6~12months away, maybe even 2+ years aka RHEL8
:(
regards
Steven Jones
Technical Specialist - Linux RHCE
Victoria University ITS,
Level 8 Rankin Brown Building,
Wellington, NZ
6012
0064 4 463 6272
From: freeipa-users-boun
I would suggest,
1 x 3ghz CPU, 2gb of ram and around 80gb disk space.
To give you an idea of a small IPA server to see what is used,
Though note the recommendation is for root and /usr to now be one partition and
/boot should probably be a bit bigger, say 400mb.
===
-bash-4.1$ df -h
Hi,
Not knowing your specific circumstance but my experience over the last decade
plus would be keep the RHEL, Debian/Ubuntu and Solaris servers up to date all
the time, or at least 1~2 months behind max. eg we clone off RHEL channels
into testing channels and patch then clone production
Hi,
Any docs for RHEL7.1 for his?
regards
Steven
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
Hi,
KISS
keep it simple and stupid.
What we do is,
AD domain is domain.com and does all its own DNS and Kerberos, all windows
machines point at it etc
IPA domain is ipa.domain.com and all IPA's and indeed all Linux servers point
at IPA for everything incl NTP.
IPA servers use the AD
Hi,
As an user, i'm part of the FOO.EXAMPLE.COM FreeIPA domain and i want to
connect to some hosts in BAR.EXAMPLE.COM FreeIPA.
This is on the radar though I couldn't find an open ticket on it. It
isn't something for the very near-term though AFAIK.
I will open a ticket via support as it is
on
behalf of Dmitri Pal d...@redhat.com
Sent: Wednesday, 18 February 2015 11:51 a.m.
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] question about Active Directory authentication
On 02/17/2015 05:21 PM, Steven Jones wrote:
***maybe***
c) You might be able to do both winsync and trusts
=*)
# requesting: ALL
#
# search result
search: 4
result: 32 No such object
# numResponses: 1
regards
Steven
From: Rob Crittenden rcrit...@redhat.com
Sent: Tuesday, 17 February 2015 10:59 a.m.
To: Steven Jones
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa
Hi,
I have no idea how.
regards
Steven
From: Rob Crittenden rcrit...@redhat.com
Sent: Tuesday, 17 February 2015 10:40 a.m.
To: Steven Jones
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] trying to get a RHEL7.1 beta second master
I have been informed that all computer users on our campus must now
authenticate off of the University's Active Directory server, including all
Linux machines.
dictated by a clueless Windows * no doubt, ***sigh*** Here we are keeping
both separate as AD is so bad security wise, but want
While attempting to initialise the new server I am getting,
[root@xxmailto:root@vuwunicoipam001 replica-files]# ipa-replica-install
--setup-dns --forwarder=10.100.32.31 --no-reverse replica-info-xxx.gpg
--skip-conncheck --debug
=8
yep this is all double dutch to me.
regards
Steven
From: Rob Crittenden rcrit...@redhat.com
Sent: Tuesday, 17 February 2015 12:08 p.m.
To: Steven Jones
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] trying to get a RHEL7.1 beta second master
=
cACertificate;binary:: TUlJQ0NUQ0NBWEtnQX8---
=
:(
So now what?
regards
Steven
From: Rob Crittenden rcrit...@redhat.com
Sent: Tuesday, 17 February 2015 12:08 p.m.
To: Steven Jones
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa
***maybe***
c) You might be able to do both winsync and trusts at the same time then that
is simpler provisioning. ie a user gets created in AD and automatically gets
created in IPA ready for you to put in the user group you want.
I am not sure this is the best solution really.
Trust and
Hi,
There is always a tradeoff between ease of use, complexity/cost and security.
Looking at what you have written suggests to me that your entire system lacks a
proper security / network architecture model and you are trying to enforce a
policy from one point, IPA.
regards
Steven
The ability to use OTP with laptops is targeted to the 1.13 release.
For my background reference, which version of RHEL will that probably be
please?
regards
Steven
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to
Hi,
Our present IPA started on RHEL6.2 (I think) and has a self-signed cert which
has the wrong encoding. I am just replacing it now, its preventing RHEL7.1
joining/working/replicating.
Now I am waiting on a BZ, so upgrading to RHEL7.1 isnt easy or quick.
regards
Steven
Any idea what is going on here please?
==
[root@vuwunicoipam004mailto:root@vuwunicoipam004 ipa-certs]#
ipa-replica-install --setup-dns --forwarder=10.100.32.31 -U
replica-info-vuwunicoipam004.ods.vuw.ac.nz.gpg --skip-conncheck
Checking forwarders, please wait ...
WARNING: DNS
in replication while inserting a RHEL7.1
server into a RHEL6.6 IPA setup.
On 03/09/2015 05:35 PM, Steven Jones wrote:
Any idea what is going on here please?
==
[root@vuwunicoipam004mailto:root@vuwunicoipam004 ipa-certs]#
ipa-replica-install --setup-dns --forwarder=10.100.32.31 -U
replica
] Error in replication while inserting a RHEL7.1
server into a RHEL6.6 IPA setup.
On 03/09/2015 03:35 PM, Steven Jones wrote:
Any idea what is going on here please?
==
[root@vuwunicoipam004mailto:root@vuwunicoipam004 ipa-certs]#
ipa-replica-install --setup-dns --forwarder=10.100.32.31 -U
Process finished, return code=0
Connection check OK
==
regards
Steven
From: freeipa-users-boun...@redhat.com freeipa-users-boun...@redhat.com on
behalf of Steven Jones steven.jo...@vuw.ac.nz
Sent: Tuesday, 10 March 2015 1:36 p.m.
To: freeipa-users
-users-boun...@redhat.com on
behalf of Dmitri Pal d...@redhat.com
Sent: Thursday, 12 March 2015 9:07 a.m.
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] IPA 4.1.0 in RHEL 7.1
On 03/11/2015 03:49 PM, Steven Jones wrote:
Hi,
When I try to join a 7.1 based replica to an existing setup
multiple (say 5) fields
for MAC addresses per user
On 03/11/2015 03:43 PM, Steven Jones wrote:
Hi,
I have been asked to look at packetfence and linking it to IPA for
authentication but I might need to allow users to login into their IPA info and
add MAC addresses themselves, this is possible I
Hi,
I have been asked to look at packetfence and linking it to IPA for
authentication but I might need to allow users to login into their IPA info and
add MAC addresses themselves, this is possible I think?
Since ppl these days can have 3 mobile devices, (ipad, iphone and laptop) I
would
Hi,
When I try to join a 7.1 based replica to an existing setup and use an AD
forwarder the command complains that the AD box isnt doing DNSSEC suggesting to
me it is present in 7.1?
At the moment however I cant join a 7.1 based IPA server into a 6.6 based IPA
cluster. Or a 7.1 client to
Hi,
Currently it seems that IPA on RHEL6.6 is broken in terms of adding a RHEL7.1
replica to it. ie following the document linked to below.
Should be a BZ case on it shortly via RH support (RH case number 01290601) for
an updated 389 rpm for 6.6.
I assume it will be the same for Centos 7.x
Hi,
Anyone have experience with running the sssd client (I assume its available) on
Debian 7.0.8 against a RH IPA setup?
Is it painless long term or best avoided?
regards
Steven
--
Manage your subscription for the Freeipa-users mailing list:
Hi,
So pass authentication to a RSA radius server and key fobs?
Looks like RHEL7.1 can do this, I am waiting for its release to do just this.
regards
Steven Jones
B.Eng (Hons)
Technical Specialist - Linux RHCE
Victoria University ITS,
Level 8 Rankin Brown Building,
Wellington, NZ
6012
Where is this at? ie is the above a supported configuration?
So will passync and winsync work OK?
Will trusts?
Will they work together? So ideally I'd like to use winsync and passsync to
provision users from AD to IPA. Then in specific low security situations use
trusts to grant access.
Hi,
Would IPA have issues if one master is one one side of the Pacific (New
Zealand) and another in the USA?
regards
Steven J
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the
Hi,
Is this possible?I am trying to find some docs to do this but they point at
sssd and/or kerberos. But looking at RHEL7.1 / samba 4 it looks to me that
with an IPA enabled client sssd, kerberos and ldap files/configuration are
committed to IPA's use so cannot be altered?
regards
Hi,
I am trying to setup ssh keys into an IPA enabled server. This refuses to work
asking for a password each time. If I drop the server out of IPA the ssh keys
then work.
I can ssh from a non-IPA RHEL7 server to an IPA enabled server but non-IPA user
fine, but when I try to go to a IPA
Hi,
IPA is a complex beast, you would be brave/foolish to upgrade it outside of the
Redhat support matrix.
Also I would / will wait 1~2 months before upgrading to 7.2 so any serious
bugs/issues are found by someone else.
regards
Steven
From:
Hi,
You want to move away from the IPA provided by the redhat channel?
regards
Steven
From: freeipa-users-boun...@redhat.com on
behalf of Andrey Ptashnik
Sent: Tuesday, 13 October 2015 6:21 a.m.
To:
Hi,
I am trying to determine what the difference is between the 2 options above in
IPA4.1 and the implications and complications are of using one or other. Also
which one would be the better choice and why?
Can someone explain in simple terms please?
regards
Steven
--
Manage your
I have a 3 node IPA cluster, I have replaced the 2 "slaves" however when I try
and remove the last one the master? it says,
"[root@vuwunicoipam001 thing]# ipa-replica-manage del vuwunicoipam002.
Directory Manager password:
Deleting a master is irreversible.
To reconnect to the remote
Martin Kosek wrote:
> On 09/04/2015 12:00 AM, Rob Crittenden wrote:
>> Steven Jones wrote:
>>> I have a 3 node IPA cluster, I have replaced the 2 "slaves" however when I
>>> try and remove the last one the master? it says,
>>>
>>>
er 2015 1:26 a.m.
To: Steven Jones
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Ugrading IPA to dogtag? CA?
Steven Jones wrote:
> It seems I built IPA with self signed certs so I need to upgrade? is this
> possible? and if so how on existing servers?
I think it depends heavily on w
as below,
regards
Steven
8><
But overall, there is a decent HOWTO on the migration on these pages:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/migrating-ipa-proc.html
8><
fraid not, tried it.
Crittenden <rcrit...@redhat.com>
Sent: Wednesday, 9 September 2015 3:20 a.m.
To: Steven Jones
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Ugrading IPA to dogtag? CA?
Steven Jones wrote:
> RHEL6.7 and IPA 3.0
>
> "self-signed" not understanding such termin
It seems I built IPA with self signed certs so I need to upgrade? is this
possible? and if so how on existing servers?
regards
Steven
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more
Hi,
I am in a similar boat, well RHEL6.7 to RHEL7.1. I joined a RHEL7.1 / IPA4.1
to the 6.7 / IPA3.0 --self-cert domain, got rid of all the 6.7's so I was
ca-less. Did a full backup on the RHEL7.1 / IPA 4.1. Blew away the ipa
server, installed fresh, pki-tomcat runs, did a restore and
So to restore IPA I tried,
ipa-restore --data ipa-full-2015-09-10-10-28-11
and now I cannot loginopsie.
The admin user password doesnt work and neither do my own accounts.
NB I assume the flag --data restores the user data/HBAC rules etc?
regards
Steven
--
Manage your
Hi,
Any idea how to fix this please?
[root@vuwunicoipam002 ~]# ldappasswd -ZZ -D 'cn=directory manager' -W -S
uid=admin,cn=users,cn=accounts,dc=xx,dc=xxx,dc=xx,dc=xx -H
ldap://vuwunicoipam002.xxx
New password:
Re-enter new password:
ldap_start_tls: Connect error (-11)
Hi,
I have a request to do limited automatic/self provisioning of users
provisioning to specifc server. The idea is a lecturer would setup students
into IPA and select a specific user group from a limited drop down menu.
Is this possible to do such provisioning a very tied down / limited
Hi,
I have a 3 way IPA 4.2 setup running on Centos7.2
So ipa2 and ipa3 are replicas from ipa1.
Is a replication agreement setup between 2 and 3 automatically by default? (I
suspect not) how do I see this is or is not the case?
This is what I have so far,
==
[root@glusterp2 ~]#
501 - 560 of 560 matches
Mail list logo