On 20/03/2017 08:29, Jakub Hrozek wrote:
> On Fri, Mar 17, 2017 at 01:52:17PM +0000, Bob Hinton wrote:
>> On 17/03/2017 12:48, Lukas Slebodnik wrote:
>>> On (17/03/17 10:40), Bob Hinton wrote:
>>>> On 17/03/2017 08:41, Jakub Hrozek wrote:
>>>>> On Fri,
On 18/03/2017 19:09, Alexander Bokovoy wrote:
> On la, 18 maalis 2017, Bob Hinton wrote:
>> On 18/03/2017 17:03, Alexander Bokovoy wrote:
>>> On la, 18 maalis 2017, Bob Hinton wrote:
>>>> Hi,
>>>>
>>>> The first IPA master we built was ip
On 18/03/2017 17:03, Alexander Bokovoy wrote:
> On la, 18 maalis 2017, Bob Hinton wrote:
>> Hi,
>>
>> The first IPA master we built was ipa001.local.lan. We have since
>> created a number of subdomains of local.lan and have created a number of
>> replicas.
is correct ?
Is there a way to change the default nisdomain ? Rebuilding all the new
IPA masters and migrating all the data again would be a lot of work.
Many thanks
Bob Hinton
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
On 17/03/2017 14:01, Lukas Slebodnik wrote:
> On (17/03/17 13:52), Bob Hinton wrote:
>> On 17/03/2017 12:48, Lukas Slebodnik wrote:
>>> On (17/03/17 10:40), Bob Hinton wrote:
>>>> On 17/03/2017 08:41, Jakub Hrozek wrote:
>>>>> On Fri, Mar 1
On 17/03/2017 14:01, Lukas Slebodnik wrote:
> On (17/03/17 13:52), Bob Hinton wrote:
>> On 17/03/2017 12:48, Lukas Slebodnik wrote:
>>> On (17/03/17 10:40), Bob Hinton wrote:
>>>> On 17/03/2017 08:41, Jakub Hrozek wrote:
>>>>> On Fri, Mar 1
On 17/03/2017 12:48, Lukas Slebodnik wrote:
> On (17/03/17 10:40), Bob Hinton wrote:
>> On 17/03/2017 08:41, Jakub Hrozek wrote:
>>> On Fri, Mar 17, 2017 at 06:50:34AM +, Bob Hinton wrote:
>>>> Morning,
>>>>
>>>> We have a collection of
On 17/03/2017 08:41, Jakub Hrozek wrote:
> On Fri, Mar 17, 2017 at 06:50:34AM +0000, Bob Hinton wrote:
>> Morning,
>>
>> We have a collection of hosts within prod1.local.lan. However, the
>> domain section of the shadow netgroups for the hosts is
>> mgmt.prod.loca
the value of
nsslapd-cachememsize
3. ipactl start
This seemed to work in that it made the error messages go away and it
made heavily loaded servers more stable. However, I've not tried this on
a recent version of ipa so it may no longer work or not be needed any more.
Regards
Bob
On 1
migration
process. Is there a way to correct the netgroup domains of these hosts,
or is the only option to run ipa-client-install --uninstall followed by
ipa-client-install to reattach them ?
Many thanks
Bob
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com
On 11/01/2017 13:55, Petr Vobornik wrote:
> On 01/10/2017 09:31 PM, Bob Hinton wrote:
>> Hi,
>>
>> The pki-tomcatd services on our IPA servers seem to have stopped working.
>>
>> This seems to be related to the expiry of several certificates -
>>
>> [
ntpd and vmware tools timesync.
Finally ipa-certupdate seems to have been needed to propagate the new
certs to the other replicas.
Many thanks
Bob
On 10/01/2017 20:47, Adam Tkac wrote:
> Hello,
>
> we hit similar issue (although due to different conditions - we rotated
> root CA cert and t
I wonder if that broke something.
ipa --version
VERSION: 4.4.0, API_VERSION: 2.213
The /etc/ca.crt cert was originally created on an ipa 3.3 server that no
longer exists, I don't know if that's relevant.
Anyway, I'm stumped on how to fix this so could anyone please help.
Many thanks
Bob
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
I wonder if that broke something.
ipa --version
VERSION: 4.4.0, API_VERSION: 2.213
The /etc/ca.crt cert was originally created on an ipa 3.3 server that no
longer exists, I don't know if that's relevant.
Anyway, I'm stumped on how to fix this so could anyone please help.
Many thanks
Bob
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
so that Rundeck sees a valid SSL certificate. This means
that the authentication fails if that particular IPA master is down.
Is it possible to create a single SSL certificate that would support a
LDAPS connection to any of the IPA masters and, if so then how is this
done ?
Many thanks
Bob Hinton
On 03/08/2016 14:13, Rob Crittenden wrote:
> Bob Hinton wrote:
>> On 03/08/2016 07:15, Petr Spacek wrote:
>>> On 3.8.2016 00:58, Bob Hinton wrote:
>>>> Hi,
>>>>
>>>> Something went wrong when trying to restore some preserved users so I
>>
On 03/08/2016 07:15, Petr Spacek wrote:
> On 3.8.2016 00:58, Bob Hinton wrote:
>> Hi,
>>
>> Something went wrong when trying to restore some preserved users so I
>> deleted them and then tried to recreate them. This failed with -
>>
>> ipa: ERROR: Unable
te private group. A group 'X' already exists.
Trying to detach it with
ipa group-detach X
produces
ipa: ERROR: X: group not found
ipa group-show X
displays the group, but "ipa group-find X" doesn't
How can get rid of the group so I can recreate the us
an ldapsearch (see below), but this seems to give numbers
that don't match the replica IDs. Do I need to translate the search
results in some fashion or use a different search ?
Many Thanks
Bob Hinton
-sh-4.2$ cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.2 (Maipo
ore.cpp(59): Failed to enumerate object store in
/var/lib/softhsm/tokens/
Jul 13 19:31:01 ipa001.mgmt.local named-pkcs11[27088]: SoftHSM.cpp(456):
Could not load the object store
I've tried "ipa-server-upgrade" and
mv /var/lib/ipa/dnssec/tokens /var/lib/ipa/dnssec/tokens-OLD
ipa-dns-install
But I haven't managed to fix it.
Using "ipactl start -f" means the rest of the ipa services seem to work
properly, but without named.
Is there a way to fix the named issue or is it much simpler to
disconnect the replica, uninstall it and start again ?
Thanks
Bob Hinton
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
On 14/07/2016 08:39, Martin Babinsky wrote:
> On 07/13/2016 09:56 PM, Bob Hinton wrote:
>> Hi,
>>
>> We are trying to create a new replica on RHEL 7.2
>>
>> This completes but named-pkcs11 fails to start -
>>
>> systemctl status named-pkcs11.service
ore.cpp(59): Failed to enumerate object store in
/var/lib/softhsm/tokens/
Jul 13 19:31:01 ipa001.mgmt.local named-pkcs11[27088]: SoftHSM.cpp(456):
Could not load the object store
I've tried "ipa-server-upgrade" and
mv /var/lib/ipa/dnssec/tokens /var/lib/ipa/dnssec/tokens-OLD
ipa-dns-install
But I haven't managed to fix it.
Using "ipactl start -f" means the rest of the ipa services seem to work
properly, but without named.
Is there a way to fix the named issue or is it much simpler to
disconnect the replica, uninstall it and start again ?
Thanks
Bob Hinton
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Hi Martin,
On 27/05/2016 14:01, Martin Kosek wrote:
> On 05/25/2016 09:51 PM, Bob Hinton wrote:
>> Hello,
>>
>> We are trying to get Zenoss login authentication to use freeipa over
>> LDAP. Group mappings don't currently work and we think this is because
>>
ster and two
replicas running IPA v4.2.0 on RHEL 7.2.
Do I need to make the same change to all three servers ? Can I leave the
replicas connected or do I need to break the replication and
re-establish it? Do I need the "ipa permission-mod" if so then how do I
avoid it freezing ?
Many
possible to use the account policy plugin? Or is there a way to
track time of last auth that is replicated. I need to have accounts that
have been inactive for 90 days automatically disabled.
On Mon, Mar 21, 2016 at 11:22 AM, Rob Crittenden
wrote:
> Bob wrote:
>
>> We currently have 18
listed.
http://www.freeipa.org/page/Directory_Server
Looking in the directory DT of a "VERSION: 4.2.0, API_VERSION: 2.156"
installed on Redhat 7, I do see the account policy plugin in the
config tree.
Is the use of this account policy plugin supported with IPA? Should it work?
Thanks,
On 09/03/2016 22:14, Rob Crittenden wrote:
> Bob Hinton wrote:
>> Hi,
>>
>> I've been trying to add a password policy for an existing user group
>> called "services" in IPA version 4.2.0.
>>
>> ipa pwpolicy-add services
>> ipa: ERROR:
ileges then I get the same symptoms, so
it's possible that this is what happened with the services pwpolicy.
How do I correct this situation?
Many thanks
Bob Hinton
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to
For Solaris we are using the pam_list module to control which LDAP users
can have system access. The pam_list module allow netgroups to be listed in
a user.allow file.
On Sat, Aug 15, 2015 at 1:05 PM, Natxo Asenjo
wrote:
>
>
> On Sat, Aug 15, 2015 at 5:24 PM, Rob Crittenden
> wrote:
>
>> sipazz
keyfix.sh
echo -n ',' >> keyfix.sh
sudo cat /etc/ssh/ssh_host_ecdsa_key.pub >> keyfix.sh
echo -n ',' >> keyfix.sh
sudo cat /etc/ssh/ssh_host_ed25519_key.pub >> keyfix.sh
echo "'" >> keyfix.sh
vi keyfix.sh (keep pressing J to joi
On 10/06/2015 14:37, Lukas Slebodnik wrote:
> On (10/06/15 11:33), Bob Hinton wrote:
>> Hello,
>>
>> If I uninstall the ipa client with "ipa-client-install --uninstall" then
>> reinstall it to the same ipa master then most functions work fine.
>> However,
> If you edit on the client machine /home/USER/.ssh/known_hosts delete
> the IP line.
>
> On Wed, Jun 10, 2015 at 5:33 AM, Bob Hinton <mailto:b...@jackland.demon.co.uk>> wrote:
>
> Hello,
>
> If I uninstall the ipa client with "ipa-client-install
&g
ed with the old contents
and I get the same error (it seems odd that it's reporting that the host
key of the master has changed when it's the client that has been
reinstalled). How do I clear-out the client's knowledge of the old host
keys?
In this case I'm using ipa-client v3.0.0
On 01/06/2015 11:01, Petr Vobornik wrote:
> On 06/01/2015 11:36 AM, Bob Hinton wrote:
>> On 01/06/2015 09:55, Petr Vobornik wrote:
>>> On 05/31/2015 12:21 PM, Bob Hinton wrote:
>>>> Hello,
>>>>
>>>> I've written a Ruby script to add IPA u
On 01/06/2015 09:55, Petr Vobornik wrote:
> On 05/31/2015 12:21 PM, Bob Hinton wrote:
>> Hello,
>>
>> I've written a Ruby script to add IPA users from CSV files. This works
>> fine when specifying a username and password. However, using a keytab
>> produc
abase restored using ipa-restore a
number of times, so I don't know if this is a factor.
Thanks
Bob
-sh-4.2$ ./ipa-import-users -h
Usage ipa-import-users [options] file1.csv ...
-u, --user USER Kerberos principal that can add users
-p, --password PASSWORD Pa
Selinux is enabled on the target VMs, but
presumably this isn't an issue.
Many thanks
Bob Hinton
trying https://ipa001.jackland.co.uk/ipa/json
Forwarding 'ping' to json server 'https://ipa001.jackland.co.uk/ipa/json'
Cannot connect to the server due to generic error
min@ipa004:
ssh admin@ipa004
su (enter root password - no users with sudo
access exist yet)
tar xvfPz ipa004_backups_22052015.tgz
ipa-restore ipa-full-2015-05-22-17-28-01
systemctl stop sssd
rm -f /var/lib/sss/db/*
systemctl start sssd
Many thanks
Bob
ted via ipa-restore ?
The VM is RHEL7.1 with the following versions of ipa-server and
ipa-client installed.
Many thanks
Bob
Name: ipa-server
Arch: x86_64
Version : 4.1.0
Release : 18.el7_1.3
Size: 4.2 M
Repo: installed
>From repo : rhel-7-server-rpms
Su
List more than 1 LDAP sever in you config then.
ldap_uri, ldap_backup_uri (string)
Specifies the comma-separated list of URIs of the LDAP servers to which
SSSD should connect in the order of preference. Refer to the "FAILOVER"
section for more information on failover and server redundancy. If neit
I ran
ipa dnszone-mod vh1.vzwnet.com --update-policy="grant bob-key name
test.vh1.vzwnet.com.;"
I then execute the nsupdate:
[root@nj51rhidms16v ~]# ./bobtest.sh
; TSIG error with server: tsig indicates error
update failed: NOTAUTH(BADKEY)
[root@nj51rhidms16v ~]# cat ./bobtest.sh
I added: "grant bob-key name test.vh1.vzwnet.com.;" in the IPA GUI.
But my nsupdate results in this in the daemon log:
May 12 17:04:02 nj51rhidms16v named[27438]: zone vh1.vzwnet.com/IN:
sending notifies (serial 1399928642)
May 12 17:08:44 nj51rhidms16v named[27438]: client 10.194.9
would be a large effort. It was my hope to use IPA / IDM to
provide multi master DNS, with each server being a SOA. But this becomes a
lot less desirable as a solution if I have to track down our key holders.
On Tue, May 13, 2014 at 10:04 AM, Dmitri Pal wrote:
> On 05/13/2014 09:59 AM,
Is there anyway to do a nsupdate of a DNS records in a IPA server using a
TSIG key without having a kerberos ticket?
We were going to swap out bind in favor of IPA, but we need to be able to
nsupdates.
On Mon, May 12, 2014 at 10:11 AM, Bob wrote:
> We use nsupdate to to move the location
or more of these IPA DNS servers would be down or
unreachable.
Is there a way to make each IPA system a SOA for the same domain and still
have the DNS records replicate between them?
thanks,
Bob Harvey
___
Freeipa-users mailing list
Freeipa-users@redhat
How can I create the
id=passsync,cn=sysaccounts,cn=etc,dc=example,dc=com account without
creating a replication agreement.
I do not want to replicate accounts between AD and ipa, but I do want
password changes on AD to be sent to ipa.
Is this possible?
thanks,
Bob H
same password that a LDAP bind would use. Meaning I have many
applications that can not use Kerberos, but can use LDAP. Can these
applications use IPA and expect that a given user account will have the
LDAP password kept in sync with the krb5 password?
thanks,
nce connected on the RHEL server, he wants to use the command "reboot
now" but this one is not authorized by the IPA server for this user on this
server. => Is this possible ?
Many thanks,
- Message d'origine -
De : david t. klein
Envoyés : 24.01.13 14:19
À : 'B
01/23/2013 03:59 PM, Bob Sauvage wrote:
>
> Hi Dale,
>
> You mean that if I turn this option to 'yes', I'll be able to connect to the
> server through SSH without needing to authenticate again ? Even if I'm
> connected on the domain from a Windows workstat
-----
> *From:* freeipa-users-boun...@redhat.com [
> freeipa-users-boun...@redhat.com ] on behalf of Bob Sauvage [
> bob.sauv...@gmx.fr ]
> *Sent:* Wednesday, 23 January 2013 9:51 a.m.
> *To:* freeipa-users@redhat.com
> *Subject:* [Freeipa-users]
this with freeipa ? Do you have some articles ?
Thanks in advance,
Bob !
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
51 matches
Mail list logo