Hi all,
"Because I can try" I gave a shot on installing freeipa-server on
a Raspberry Pi 2. I used Fedora 21 for this. Installing looks
promising, but fails somewhere halfway:
[8/27]: starting certificate
server instance
Hi all,
One of the nice FreeIPA features is a host will be added to DNS
automatically when the client is installed. However, in some situations
using an other, external, DNS server is prefered. Now, this is possible but
hosts have to added manually to this other DNS-server.
Is it possible to
Hi all,
Creating an AD-trust works nicely. However, for some customers
both AD and IPA don't have have DNS "for their own", the use
external DNS (Infoblox for example)
Now, is is possible to create an AD trust without a build-in
(bind)
s: "CA did not start in 300.0s"
I might try to hack the services.py script but anyone got another
suggestion?
Kind regards,
Winfried
Op 02-04-15 om 13:38 schreef Martin
Basti:
On 02/04/15 12:53, Wi
/python2.7/site-packages/ipalib/constants.py
Modify file and run ipa-server-install, it should work.
HTH
Martin
On 07/04/15 10:05, Winfried de Heiden wrote:
Hi,
I gave it a try, but neither ~/.ipa
Hi all,
In order for an external application to communicate with IPA and/or modify
on (free)Ipa, we want to use the JSON API.
Where can I find documentation how to use this API?
Thankz!
Winny
--
Manage your subscription for the Freeipa-users mailing list:
Hi all,
Playing around with freeipa on Fedora 22 after installing I cannot
access the UI. Firefox will tell
"sec_error_reused_issuer_and_serial".
I allready have an Freeipa (Fedora 21 based) and somewhere there
seems to be a conflict in the
Hi all,
Using a RHEL or Centos 5.11 as a legacy client (using sssd) seems
to work.
I created an external group which is member of a posix group.
Putting an AD user in the external group works, but it seems to
take ages beofre it takes effect.
Hi all,
Using entry_cache_timeout to set different cache timeout for sssd
works well. However, it doesn't seem to work for Trusted Domain
Users (using AD trust)
I made some changes, cleaned the cache but expiry will stay on a
(too long) 10
n Tue, Dec 15, 2015 at 03:44:46PM +0100, Winfried de Heiden wrote:
Hi all,
Even more strange, logging in using SSH public/private keys the problem
disappears and all groups are available!
Strange.?!
this is expected, because if you use SSH keys no PAC is invol
15-12-15 om 16:19 schreef Sumit
Bose:
On Tue, Dec 15, 2015 at 03:44:46PM +0100, Winfried de Heiden wrote:
Hi all,
Even more strange, logging in using SSH public/private keys the problem
disappears and all groups are available!
Strange
Using an EL7 client, lot's of times the IPA
(posix) groups are missing, or partly missing. Doing some
debugging, sssd_pac.log shows:
(Mon Dec 14 17:19:08 2015)
[sssd[pac]] [pac_user_get_grp_info] (0x2000): Group with SID
:
On 12/09/2015 12:58 PM, Winfried de Heiden wrote:
Hi all,
Using entry_cache_timeout to set different cache timeout for sssd works well.
However, it doesn't seem to work for Trusted Domain Users (using AD trust)
I made some changes, cleaned the cache but expiry
1.13.0-40 as an IPA client
RHEL 6.7 with sssd 1.12.4-47 as an IPA client
Winny
Op 15-12-15 om 09:59 schreef Sumit
Bose:
On Mon, Dec 14, 2015 at 05:47:38PM +0100, Winfried de Heiden wrote:
Using an EL7 client, lot's of times the IPA (posix
Hi all,
Adding AD-users to an IPA external group seems to be problematic.
However, adding AD-groups (with AD-users as members) to a IPA
external groups seems to work well. Four group were created and
all are shown.
Smell a bit like a bug,
...?
Cheers!
Winny
Op 16-12-15 om 10:01 schreef Sumit
Bose:
On Wed, Dec 16, 2015 at 09:46:37AM +0100, Winfried de Heiden wrote:
Hi all,
Adding AD-users to an IPA external group seems to be problematic. However,
adding AD-groups (with AD-users
Hi all,
For some reason, we only want to use the Active Directory user
from an Active Directory using a Trust. (groups like "Domain
Users" are of no use...)
Is it possible to ignore (hide) ALL groups from a particular
Domain (trust)/
Hi all,
I created some hbac rule on freeipa-server 4.1.4 on Fedora 22
# ipa hbacrule-show testuser
Rule name: testuser
Enabled: TRUE
Users: testuser
Hosts: fedora23-server.blabla.bla
Services: sshd
Hence, "
10:50 AM, Winfried de Heiden wrote:
Hi all,
For some reason, we only want to use the Active Directory user from an Active
Directory using a Trust. (groups like "Domain Users" are of no use...)
Is it possible to ignore (hide) ALL groups from a particular Domain (trus
Hi all,
Running as an ordinary user, straight from the beginning.
Is the (default) suid of/usr/bin/su causing this?
Anyway: the info requested:
/var/log/secure will tell:
Nov 24 11:04:11 fedora23-server su:
on, Nov 23, 2015 at 04:55:31PM +0100, Winfried de Heiden wrote:
Hi all,
I created some hbac rule on freeipa-server 4.1.4 on Fedora 22
# ipa hbacrule-show testuser
Rule name: testuser
Enabled: TRUE
Users: testuser
Hosts: fedora23-server.blabla.bla
Serv
rspective, all other HBAC
services are what this user is allow to do; "su" and "su-l" defines that
OTHER user may become this user by using su.
A bit strange, but this is how is works. Anyone disagree?
Winny
Op 24-11-15 om 14:04 schreef Jakub Hrozek:
On Tue, Nov 24, 2015
are using. Please
provide the output from this command: rpm -qa 'libverto*' 'krb5*'
On Wed, 2016-06-08 at 08:34 +0200, Winfried de Heiden wrote:
Hi all,
Well, the libverto is there some time allready (yep, it's running on
a Bananapi!), doesn't feel like a recent update, so a
Name
Hi all,
Any news/progress about FreeIPA 4.4?
On http://www.freeipa.org/page/Roadmap: FreeIPA 4.4: feature
release. Release planned for end of May 2016.
Any updated release date...?
Winny
--
Manage your subscription for the Freeipa-users
om 19:15 schreef Nathaniel
McCallum:
On Tue, 2016-06-07 at 19:42 +0300, Alexander Bokovoy wrote:
Adding Nathaniel to look into it.
On Tue, 07 Jun 2016, Winfried de Heiden wrote:
Adn some more dubgging for you guys...:
un 7 17:00:52 ipa
Winfried
de Heiden:
Hi all,
Well, the libverto is there some time
allready (yep, it's running on a Bananapi!), doesn't feel like a
recent update, so a
Name : libverto
Version : 0.2.6
Release
Hi all,
I am trying to setup Freeipa with otp using the freeotp app. All
looks fine, adding the user to the FreeOTP app also works fine.
The users looks like:
ipa user-show otpuser
User login: otpuser
First name: otp
Last
Hi all,
I tried the FreeIPA webUI, ssh and "su -
otpuser", all the same result.
Winny
Op 07-06-16 om 15:02 schreef Alexander
Bokovoy:
On Tue, 07 Jun 2016, Winfried de Heiden wrote:
Hi all,
)
and the device that is generating the OTP tokens. I have had
issues with this with my users couple of times.
On 7 June 2016 at 19:43, Alexander
Bokovoy <aboko...@redhat.com>
wrote:
On Tue, 07 Jun 2016, Winfried de Heiden
No, neither HOTP works...
Op 07-06-16 om 17:09 schreef Prashant
Bapat:
Do HOTP tokens work fine ?
On 7 June 2016 at 20:37, Winfried de
Heiden <w...@dds.nl>
-16 om 18:51 schreef Sumit
Bose:
On Thu, Jun 09, 2016 at 08:42:59AM -0400, Nathaniel McCallum wrote:
On Thu, 2016-06-09 at 10:46 +0200, Sumit Bose wrote:
On Thu, Jun 09, 2016 at 08:16:13AM +0200, Winfried de Heiden wrote
Op 08-06-16 om 19:15 schreef Nathaniel
McCallum:
Can you please try:
# dnf install libverto-libev
# dnf remove libverto-tevent
# ipactl restart
On Wed, 2016-06-08 at 18:30 +0200, Winfried de Heiden wrote:
Well, here your are:
rpm -qa 'libverto*' 'krb5
4, I curious to test
Kind regards,
Winny
Op 30-05-16 om 17:54 schreef Jakub
Hrozek:
On Mon, May 30, 2016 at 05:22:33PM +0200, Sumit Bose wrote:
On Mon, May 30, 2016 at 05:13:35PM +0200, Winfried de Heiden wrote:
Can't wait!
Winny
Op 30-05-16 om 18:39 schreef Martin
Basti:
On 30.05.2016 18:16, Winfried de
Heiden wrote:
Hi all,
Thanks for the quick answer even though I
send
Just curious!
Winny
Op 30-05-16 om 18:39 schreef Martin
Basti:
On 30.05.2016 18:16, Winfried de
Heiden wrote:
Hi all,
Thanks for the quick answer even tho
: https://github.com/krb5/krb5/pull/471
Once merged, we will backport the fix into all existing Fedora
releases. So you should get an update via a simple: dnf update.
On Thu, 2016-06-16 at 10:28 +0200, Winfried de Heiden wrote:
Hi all,
"So it looks a bit like a libverto 32bit
n 09, 2016 at 08:16:13AM +0200, Winfried de Heiden wrote:
Hi all,
I can install libvert-libev but removing libverto-tevent will
remove 123
dependencies also. (wget, tomcat and much more...)
Hence, I installed libverto-libev, but dit not remove libverto-
tevent to give
it a try. After ipactl res
Hi all,
Using an Active Directory Trust with IPA all works fine but
there's an disadvantage: it might brong in lots and lots of groups
I am not interested in since it mainly hit Windows and/or Office
stuff.
Now, is it possible to filter
Settings) by using the SID?
Winny
Op 10-02-16 om 09:42 schreef Jakub
Hrozek:
On Tue, Feb 09, 2016 at 11:58:46AM +0100, Winfried de Heiden wrote:
Hi all,
Using an Active Directory Trust with IPA all works fine but there's an
di
Hi all,
I' m trying to enable OTP:
- Enabled "Two factor authentication (password + OTP)" for a
particular user.
- Added a OTP token, FreeOTP on an Android that is, for the user
which all went fine.
Trying to login will fail.
DNS)
Winny
Op 22-02-16 om 11:10 schreef Petr
Spaceopendnssec
On 22.2.2016 09:36, Winfried de Heiden wrote:
Hi all,
I get lot's of messages in my log (journalctl -u named-pkcs11.service -p err )
like these:
Feb 22 09:17:32 ipa.exampl
:18, Winfried de Heiden wrote:
Hi all,
And so did I, following
http://www.freeipa.org/page/Troubleshooting#DNSSEC_master_is_not_configured:
ipa-dns-install --dnssec-master
The log file for this installation can be found in /var/log/ipaserver-install.log
Hi all,
I configured an IPA client using de FreeIPA 4.2 KDC Proxy
something like this:
~
dns_lookup_realm = false
dns_lookup_kdc = false
~
[realms]
LINUX.EXAMPLE.COM = {
pkinit_anchors = FILE:/etc/ipa/ca.crt
Great,
Changing
/etc/ipa/kdcproxy/kdcproxy.conf
[global]
configs = mit
use_dns = false
to
# cat /etc/ipa/kdcproxy/kdcproxy.conf
[global]
configs = mit
use_dns = true
along with adding
OK clear, many thanks!
Winny
Op 25-01-16 om 09:45 schreef Christian
Heimes:
On 2016-01-25 08:17, Winfried de Heiden wrote:
Great,
Changing
/etc/ipa/kdcproxy/kdcproxy.conf
[global]
configs = mit
use_dns = false
to
# cat /etc
"RHEL 6.x libkrb5 has no support for KDC proxy"
Too bad, I was afraid for that
Winny
Op 25-01-16 om 08:36 schreef Alexander
Bokovoy:
HEL 6.x libkrb5 has no support for KDC proxy
--
Manage your subscription for
Hi all,
I get lot's of messages in my log (journalctl -u
named-pkcs11.service -p err ) like these:
Feb 22 09:17:32 ipa.example.com named-pkcs11[8982]: zone
example.com/IN (signed): could not get zone keys for secure
dynamic update
Feb
Hi all,
Started as "just because it's possible" running FreeIPA on a
BananaPI or Raspberry PI turned to out to be rather succesfull
and for more than a year I use FreeIPA at home.
OK, running on small boards like Raspberry PI it never
Hi all,
Bugzilla created:
https://bugzilla.redhat.com/show_bug.cgi?id=1400462
Winfried
Op 01-12-16 om 09:19 schreef Petr
Spacek:
On 1.12.2016 09:07, Winfried de Heiden wrote:
Hi all,
Started
49 matches
Mail list logo
