[Freeipa-users] Mass update IP addresses

For various reasons, I need to move a lot of my IPA clients to a different subnet. I'd like to automate this as much as possible. My initial thought is to use a combination of puppet and ipa commands, but I wanted to see if anyone had any advice. Anything I should watch out for in IPA? I know t

Re: [Freeipa-users] sudo env_keep option [solved]

As usual, I figured this out pretty much as soon as I posted. Fix: separate options, but subsequent options need to be += EX: env_keep=FOO env_keep+=BAR --Jason On Wed, Apr 16, 2014 at 4:43 PM, KodaK wrote: > I'm trying to specify env_keep variables. I can't seem to be

[Freeipa-users] sudo env_keep option

I'm trying to specify env_keep variables. I can't seem to be able to pass more than one. env_keep=FOO works, env_keep="FOO BAR" does not. Specifying multiple env_keep options also doesn't work (I didn't expect it to.) Is there some special thing I'm missing? Thanks, --Jason ___

[Freeipa-users] AD trusts & HBACs & such

I've been working with support on how to set up HBAC and sudo rules with AD users. >From what they've described I can only manage them on an aggregate level using an external group. For example, I can define an hbac rule, but that hbac rule will be vaild for *all* AD users in the external group t

Re: [Freeipa-users] passwordless login into IPA clients possible from non IPA client?

Andrew's suggestion works fine, but you can also set up a simple krb5.conf on the source hosts and then issue a kinit. It doesn't have to be a "full" IPA client for that to work. You can also do this from a Windows box by using the MIT Kerberos for Windows package: http://web.mit.edu/Kerberos/di

Re: [Freeipa-users] AIX kerberos client to IPA

I had this issue, but I gave up. I have my users either log into a Linux box to change passwords or use a web based password reset I set up for them. When your users log in successfully do they have tickets? That's my situation: they can get tickets once they're logged in, but can't change when

Re: [Freeipa-users] scripting ipa commands [solved]

is run. > > #!/bin/bash > > ### > # Auto Kinit > > > /usr/kerberos/bin/klist -s > EXITCODE=$? > if [ $EXITCODE != "0" ] ; then > /usr/kerberos/bin/kdestroy >> /dev/null 2>&1 > /usr/kerberos/bin/kinit -F usern...

[Freeipa-users] scripting ipa commands

Once again, I'm probably missing something that's well documented. I promise I searched. We have a daily termination list that needs to be enforced at 5:00 PM every day. I can script it up just fine, but sometimes I like to sneak out early. I tried to use "at," but since I'm logged out when the

Re: [Freeipa-users] [solved] TLS error on master server / CA issue?

On Fri, Feb 28, 2014 at 1:05 PM, Rob Crittenden wrote: > KodaK wrote: > >> >> >> >> On Fri, Feb 28, 2014 at 11:14 AM, Rob Crittenden > <mailto:rcrit...@redhat.com>> wrote: >> >> KodaK wrote: >> >> Hey everyone,

Re: [Freeipa-users] TLS error on master server / CA issue?

On Fri, Feb 28, 2014 at 11:14 AM, Rob Crittenden wrote: > KodaK wrote: > >> Hey everyone, >> >> A couple of days ago I started getting the following message: >> >> [jebalicki@slpidml01 ~]$ ipa cert-show 1 >> ipa: INFO: trying https://slpidml01.uni

[Freeipa-users] TLS error on master server / CA issue?

Hey everyone, A couple of days ago I started getting the following message: [jebalicki@slpidml01 ~]$ ipa cert-show 1 ipa: INFO: trying https://slpidml01.unix.xxx.com/ipa/xml ipa: INFO: Forwarding 'cert_show' to server u' https://slpidml01.unix.xxx.com/ipa/xml' ipa: ERROR: Certificate operation ca

Re: [Freeipa-users] HP ILO Authentication via LDAP (or even kerberos)

For the record, I spent quite a long time on this and finally gave up. I never found a work-around other than providing the entire DN, which I wasn't about to do. On Tue, Jan 14, 2014 at 11:53 PM, Alexander Bokovoy wrote: > On Wed, 15 Jan 2014, Les Stott wrote: > >> I can confirm that the passw

Re: [Freeipa-users] WARNING: Do not upgrade FreeIPA deployments to Fedora 20 final (yet)

I took a look at the bugs page and I didn't see it mentioned, but I'm asking anyway: is anyone aware of any client-side issues on fedora IRT IPA? We have some fedora workstations that auth against IPA in RHEL 6. On Tue, Dec 17, 2013 at 3:14 AM, Alexander Bokovoy wrote: > Greetings! > > As many

Re: [Freeipa-users] FreeIPA integration with AIX and sudo

I am an unfortunate AIX sufferer as well. I've gotten through setting this up. First, what version of sudo are you running on the AIX box? On Mon, Dec 16, 2013 at 8:46 AM, wrote: > Hi, > > I'm trying to integrate on AIX environment (as clients) a centralized > authentication and authorization

Re: [Freeipa-users] Revisiting ILO [SOLVED]

Not exactly "solved" but I'll call it that, since there is no way to change the login attribute. I've requested this feature, but I requested it through support and I'm sure it will die in a queue somewhere. On Wed, Nov 6, 2013 at 6:25 AM, Dmitri Pal wrote: > O

[Freeipa-users] Lesson learned: don't do this.

Just wanted to pass along an issue I just had. We have some legacy local users on some boxes, and we need to have a mix of those local users and IPA users in the same groups. In order for that to happen (at least on AIX) I need to create a group in IPA with the GID of the local group. This can b

Re: [Freeipa-users] Revisiting ILO

If I use the whole connection string: uid=jebalicki,cn=users,cn=accounts,dc=unix,dc=magellanhealth,dc=com I can authenticate. On Tue, Nov 5, 2013 at 1:40 PM, KodaK wrote: > I'm attempting to get HP ILO authenticating against IPA again. > > I've configured the user contex

[Freeipa-users] Revisiting ILO

I'm attempting to get HP ILO authenticating against IPA again. I've configured the user context in ILO as: cn=users,cn=accounts,dc=unix,dc=magellanhealth,dc=com When ILO tries to connect, it sends the string: CN=jebalicki,cn=users,cn=accounts,dc=unix,dc=magellanhealth,dc=com Which, of course,

Re: [Freeipa-users] Force IPA to accept password?

Here's what I had to do: http://www.freeipa.org/page/PasswordSynchronization On Thu, Sep 26, 2013 at 10:35 AM, KodaK wrote: > As far as I can tell, password policy is enforced on the client side, not > the directory side. > > I set up a self-service password reset utility w

Re: [Freeipa-users] Force IPA to accept password?

As far as I can tell, password policy is enforced on the client side, not the directory side. I set up a self-service password reset utility which enforces its own rules and bypasses the IPA password policies. I used this one: http://ltb-project.org I created a us

Re: [Freeipa-users] Timeout (?) issues

uot; On Fri, Sep 20, 2013 at 3:07 AM, Petr Spacek wrote: > On 20.9.2013 01:24, KodaK wrote: > >> This is ridiculous, right? >> >> IPA server 1: >> >> # for i in $(ls access*); do echo -n $i:\ ;grep err=32 $i | wc -l; done >> access: 248478 >> acces

Re: [Freeipa-users] Timeout (?) issues

9/16/2013 07:57 PM, Dmitri Pal wrote: > > On 09/16/2013 12:02 PM, KodaK wrote: > > Yet another AIX related problem: > > The AIX LDAP client is called secldapclntd (sure, they could make it > more awkward, but the budget ran out.) I'm running into the issue detailed > here:

Re: [Freeipa-users] Timeout (?) issues

scope=0 filter="(objectClass=idnsRecord)" attrs=ALL [19/Sep/2013:18:19:51 -0500] conn=9 op=169772 RESULT err=32 tag=101 nentries=0 etime=0 So far today there are over half a million of these. That can't be right. On Thu, Sep 19, 2013 at 3:05 PM, KodaK wrote: > I didn't

Re: [Freeipa-users] Timeout (?) issues

opening a RH ticket. Thanks, --Jason On Thu, Sep 19, 2013 at 1:57 PM, KodaK wrote: > Well, this is awkward: > > [root@slpidml01 slapd-UNIX-xxx-COM]# grep conn=170902 access* | wc -l > 5453936 > [root@slpidml01 slapd-UNIX-xxx-COM]# > > > On Thu, Sep 19, 2013 at 1:48 PM

Re: [Freeipa-users] Timeout (?) issues

Well, this is awkward: [root@slpidml01 slapd-UNIX-xxx-COM]# grep conn=170902 access* | wc -l 5453936 [root@slpidml01 slapd-UNIX-xxx-COM]# On Thu, Sep 19, 2013 at 1:48 PM, KodaK wrote: > Thanks. I've been running that against my logs, and this has to be > abnormal:

Re: [Freeipa-users] Timeout (?) issues

I didn't realize that DNS created one connection. I thought it was one connection spanning several days. On Thu, Sep 19, 2013 at 2:51 PM, Rich Megginson wrote: > On 09/19/2013 12:57 PM, KodaK wrote: > > Well, this is awkward: > > [root@slpidml01 slapd-UNIX-xxx-COM]# gre

Re: [Freeipa-users] Replication causing long etimes

Terry, did you ever get to the bottom of this? I appear to be having a similar issue with the same version of IPA. On Wed, Sep 4, 2013 at 1:18 PM, Terry Soucy wrote: > I am experiencing some long execution times, and I'm wondering if anyone > can give me some insight. > > We are running FreeIP

[Freeipa-users] Timeout (?) issues

Yet another AIX related problem: The AIX LDAP client is called secldapclntd (sure, they could make it more awkward, but the budget ran out.) I'm running into the issue detailed here: http://www-01.ibm.com/support/docview.wss?uid=isg1IV11344 "If an LDAP server fails to answer an LDAP query, secl

Re: [Freeipa-users] Mountain Lion GUI Login

On Tue, Aug 6, 2013 at 4:31 PM, Davis Goodman wrote: > Hi, > > I have an FreeIPA server configured, managed to configure a Mountain Lion > Client for automounts and user logins. > > My issue is that whenever I first login with a user the "New Password" box > shows up and even if I try to change

Re: [Freeipa-users] Sanity check on hbac rule on "foreign" domains.

On Mon, Aug 5, 2013 at 4:23 AM, Sumit Bose wrote: > Which version of FreeIPA are you using on the server? Maybe the sssd > logs at a high debug level will give more details why the access is > denied you you try to log in with ssh as testuser on > stlmoracsbx01.domain.com. Something must have bee

[Freeipa-users] Sanity check on hbac rule on "foreign" domains.

First, before we go any further: is it supported to use sssd when the client machines domain differs from the realm name? If not, then the rest of this is moot. Client box is a RHEL 5.something. I didn't do "ipa-client-install" because I wanted to configure by hand as a test. The client box ha

Re: [Freeipa-users] authenticate with base domain name?

On Wed, Jul 31, 2013 at 1:28 PM, KodaK wrote: > On Wed, Jul 31, 2013 at 11:24 AM, Sumit Bose wrote: >> >> On Wed, Jul 31, 2013 at 11:12:47AM -0500, KodaK wrote: >> > On Wed, Jul 31, 2013 at 11:09 AM, KodaK wrote: >> > >> > > >> > >

Re: [Freeipa-users] authenticate with base domain name?

On Wed, Jul 31, 2013 at 1:28 PM, KodaK wrote: > On Wed, Jul 31, 2013 at 11:24 AM, Sumit Bose wrote: >> >> On Wed, Jul 31, 2013 at 11:12:47AM -0500, KodaK wrote: >> > On Wed, Jul 31, 2013 at 11:09 AM, KodaK wrote: >> > >> > > >> > >

Re: [Freeipa-users] authenticate with base domain name?

On Wed, Jul 31, 2013 at 11:24 AM, Sumit Bose wrote: > > On Wed, Jul 31, 2013 at 11:12:47AM -0500, KodaK wrote: > > On Wed, Jul 31, 2013 at 11:09 AM, KodaK wrote: > > > > > > > > > > > On Wed, Jul 31, 2013 at 6:56 AM, Sumit Bose wrote: > > &

Re: [Freeipa-users] authenticate with base domain name?

On Wed, Jul 31, 2013 at 11:09 AM, KodaK wrote: > > > On Wed, Jul 31, 2013 at 6:56 AM, Sumit Bose wrote: > > > I think that's the issue. You have to make sure that host.domain.com has > > > a DNS entry somewhere, it does not have to be the IPA DNS but the DNS &g

Re: [Freeipa-users] authenticate with base domain name?

On Wed, Jul 31, 2013 at 6:56 AM, Sumit Bose wrote: > I think that's the issue. You have to make sure that host.domain.com has > a DNS entry somewhere, it does not have to be the IPA DNS but the DNS > setup must be correct so the IPA DNS can forward the request to the > right server. Then you c

Re: [Freeipa-users] password resetting into IPA

On Tue, Jul 30, 2013 at 6:16 PM, Steven Jones wrote: > Has anybody tried this? > > http://code.google.com/p/pwm/ > > Would it work is is it advised not to use it, if so reasons please? > It's been talked about a bit in this mailing list. I had issues, and I know of another person who was setting

Re: [Freeipa-users] authenticate with base domain name?

Ok, so, yeah -- my first question stands. This works when it falls back to LDAP, but it does not honor a kerberos ticket. Is there a way to do that in the same circumstances? Thanks again, --Jason On Tue, Jul 30, 2013 at 2:58 PM, KodaK wrote: > Nevermind, AIX problem (surprise, surpr

Re: [Freeipa-users] authenticate with base domain name?

Jason On Tue, Jul 30, 2013 at 2:41 PM, KodaK wrote: > I've been searching and I know it's been answered before but I can't find it. > > I have UNIX.DOMAIN.COM as my IPA realm. > > I have some hosts that sit on (in dns) domain.com (they are not part > of any oth

[Freeipa-users] authenticate with base domain name?

I've been searching and I know it's been answered before but I can't find it. I have UNIX.DOMAIN.COM as my IPA realm. I have some hosts that sit on (in dns) domain.com (they are not part of any other Kerberos realms.) I'm unable to currently change the domain names on these boxes. In krb5.conf

Re: [Freeipa-users] IPA + AD authentication in apache

On Fri, Jul 19, 2013 at 9:55 AM, natxo asenjo wrote: > On 07/19/2013 04:09 PM, Sigbjorn Lie wrote: >> >> >> Retreive a keytab from AD: >> >>> ktpass -princ HTTP/webserver.ipa.domain@WINDOWS.DOMAIN +rndpass /mapuser >>> WINDOMAIN\webserver$ >> >> -crypto all -ptype KRB5_NT_PRINCIPAL -out webserver.

Re: [Freeipa-users] IPA + AD authentication in apache

On Thu, Jul 18, 2013 at 4:43 PM, Sigbjorn Lie wrote: > > Hi. > > I've done the kerberos part with several Apache Web servers with success. > I've not done the fallback to ldap basic auth. > > Set KrbServiceName to Any in httpd.conf and put a HTTP service kerberos > keytab from AD and one from IP

[Freeipa-users] IPA + AD authentication in apache

Another off the wall one from me, but I just want to know if this is worth pursuing. I have a series of internal web applications that authenticate variously to AD or IPA via prompted credentials. I'd like to use Kerberos tickets (and fall back to LDAP) instead. I have an IPA connected apache se

Re: [Freeipa-users] deleting password history?

On Mon, Jul 15, 2013 at 7:04 PM, Dmitri Pal wrote: > You probably want to remove krbPwdHistory attribute and set > krbPwdHistoryLength to 0. > > > Just so I'm clear: I only want to do a one-time erase for one user so he can use a password he was using earlier. We changed it for testing and I do

[Freeipa-users] deleting password history?

I'm probably missing something obvious, but I've searched the mailing list in gmail and tried to google it: If I want to remove the password history for a user, how do I do it? -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6

Re: [Freeipa-users] Glaring hole in AIX telnet regarding HBAC rules

On Thu, Jul 11, 2013 at 5:19 PM, Dmitri Pal wrote: > > I am not good with ldap syntax but SQL natural for me so conceptually the > search would look like this: > > I don't think it's humanly possible to be good at ldap syntax. > I hope it conveys what I have in mind. The result of such search w

Re: [Freeipa-users] Glaring hole in AIX telnet regarding HBAC rules

On Fri, Jul 12, 2013 at 7:31 AM, natxo asenjo wrote: > >> > tcp wrappers support netgroups (iirc), you could use that too (you > cannot mix hosts and users though, so you should create netgroups of > users. > > I haven't used tcp wrappers in years, and I never knew it supported netgroups. That's

Re: [Freeipa-users] Glaring hole in AIX telnet regarding HBAC rules

On Thu, Jul 11, 2013 at 4:42 PM, Dmitri Pal wrote: > Well it is something like this that I had in mind. But you have beaten > me... > Great to see you found an acceptable solution. > Acceptable is a strong word. Maybe "passable" or Microsoft-style "it works, ship it." :) Out of curiosity, wha

Re: [Freeipa-users] Glaring hole in AIX telnet regarding HBAC rules

Just thought I'd pass along my work-around. I create a group for each host called hostname-access and populate each group with the users allowed to connect. Then, using puppet, I push out an sshd_config that has "AllowGroups: admins unixadmins hostname-access". The erb is: "AllowGroups: admins

Re: [Freeipa-users] Glaring hole in AIX telnet regarding HBAC rules

On Wed, Jul 10, 2013 at 5:00 PM, natxo asenjo wrote: > On 07/08/2013 07:44 PM, KodaK wrote: > >> We've just discovered that AIX does not honor HBAC rules with telnet. >> ssh is fine. >> > > no AIX expericence, but I once overheard someone that did something l

Re: [Freeipa-users] Glaring hole in AIX telnet regarding HBAC rules

On Tue, Jul 9, 2013 at 5:43 PM, Dmitri Pal wrote: > On 07/09/2013 06:01 PM, KodaK wrote: > > > > On Tue, Jul 9, 2013 at 4:27 PM, Dmitri Pal wrote: > >> On 07/09/2013 03:57 PM, KodaK wrote: >> >> >> >> On Mon, Jul 8, 2013 at 12:50 PM, Rob Critt

Re: [Freeipa-users] Glaring hole in AIX telnet regarding HBAC rules

On Wed, Jul 10, 2013 at 2:07 AM, Jakub Hrozek wrote: > On Tue, Jul 09, 2013 at 06:43:55PM -0400, Dmitri Pal wrote: > > On 07/09/2013 06:01 PM, KodaK wrote: > > > > > > > > > On Tue, Jul 9, 2013 at 4:27 PM, Dmitri Pal > > <mailto:d...@redhat.com>

Re: [Freeipa-users] Glaring hole in AIX telnet regarding HBAC rules

On Tue, Jul 9, 2013 at 4:27 PM, Dmitri Pal wrote: > On 07/09/2013 03:57 PM, KodaK wrote: > > > > On Mon, Jul 8, 2013 at 12:50 PM, Rob Crittenden wrote: > >> >> HBAC is enforced by sssd, so no sssd, no HBAC. >> >> I think you need to use pam_access t

Re: [Freeipa-users] Glaring hole in AIX telnet regarding HBAC rules

On Mon, Jul 8, 2013 at 12:50 PM, Rob Crittenden wrote: > > HBAC is enforced by sssd, so no sssd, no HBAC. > > I think you need to use pam_access to limit users in AIX. > > I have some work-arounds now, but I'd like to find a way to automate them. What I need is a way to ask IPA "who is allowed t

[Freeipa-users] Glaring hole in AIX telnet regarding HBAC rules

We've just discovered that AIX does not honor HBAC rules with telnet. ssh is fine. [jebalicki@mo0033802 ~]$ ipa hbactest --user=testuser --host= sla765q1.unix.magellanhealth.com --service=sshd - Access granted: False - There was no telnet service by defaul

[Freeipa-users] AEGIS "integration"

My manager sent this line item to me today for his meeting with a director over operations: "Discuss long term authentication of aix and linux systems. Most likely need to integrate with aegis" Besides the fact that I don't know what they mean here by "integrate" -- has anyone done anything with

Re: [Freeipa-users] why default shell /bin/sh

On Thu, Jun 6, 2013 at 9:30 AM, Rob Crittenden wrote: > > Lowest-common denominator. One can configure all sorts of *nix-like > systems to use IPA for authentication so we needed a default shell that is > available on all systems and that is the bourne shell. > > I have a bunch of AIX machines, t

Re: [Freeipa-users] sudo rules user and host group bugs?

Sorry, for some reason gmail makes me forget about "reply all." On Wed, Jun 5, 2013 at 2:45 PM, Dmitri Pal wrote: > On 06/05/2013 11:20 AM, KodaK wrote: > > I know this has been discussed before, but I didn't see anything with a > cursory search. > > There

[Freeipa-users] sudo rules user and host group bugs?

I know this has been discussed before, but I didn't see anything with a cursory search. There are bugs when using user and host groups with sudo rules. I have to split out my users and hosts into individual entries. I'm running ipa 3.0.0-26 on RHEL. All I really want to know is if this is fixed

Re: [Freeipa-users] Issues after setup

Run an hbactest: ipa hbactest --user=youruser --host=fqdn.of.host --service=sshd Make sure that works, if it does, then you can move on to troubleshooting the host itself. On Thu, Apr 4, 2013 at 2:27 PM, Shawn wrote: > Hi, > > I have configured a ipa-server, replica and client. > > In the GUI

[Freeipa-users] IPA branding

I've been asked to look into the possibility of branding IPA. I'm running ipa 3.0.0-26 on RHEL 6. Is it safe to just modify the css files in /usr/share/ipa/ui, or is there (or will there be, since I've seen references to a "branding patch") a preferred way to do this? They want the logo swapped o

Re: [Freeipa-users] Mail Challenge Password Reset

On Wed, Mar 20, 2013 at 7:54 PM, Simo Sorce wrote: > You should have given the pwm user 'password sync' privileges. > See this: http://www.freeipa.org/page/PasswordSynchronization I remember what my problem with PWM was now: it wants to go out and retrieve something from "the cloud" when it runs

Re: [Freeipa-users] Mail Challenge Password Reset

On Wed, Mar 20, 2013 at 6:23 PM, Michael ORourke wrote: > We have a POC with PWM and a testIPA server running freeIPA v2.2.0. > It is working very well and we plan to move it into production soon. > I haven't written a how-to, but I have several notes on setting this up. > What part of PWM are you

Re: [Freeipa-users] Mail Challenge Password Reset

On Tue, Mar 19, 2013 at 3:36 PM, Rob Crittenden wrote: > John Moyer wrote: >> >> Is there a mail challenge 3rd party tool that allows for users to change >> their own passwords if they don't know their password? Something like >> PWM for LDAP? >> >> https://code.google.com/p/pwm/ >> >> I've been

Re: [Freeipa-users] Revisiting auditing and avoiding reinvention of round rolling things

On Fri, Mar 15, 2013 at 8:54 PM, Dmitri Pal wrote: > > This is what HBAC test is about The HBAC test will allow me to see if a single user can access a given server. It doesn't give me a list of all the users that are allowed to access a given host. I can dump a list of users and run that list

Re: [Freeipa-users] Solaris Clients

On Wed, Mar 13, 2013 at 3:39 PM, Luke Kearney wrote: > Hello, > > I have recently been working on integrating our solaris 10 fleet with > FreeIPA. The first 'test' host went relatively smoothly and we recently > created a new test host. Only this time it was more challenging to get the > system

[Freeipa-users] Revisiting auditing and avoiding reinvention of round rolling things

Hi all. I know that the A part of IPA has been delayed, but that doesn't mean that the auditing requirement has gone away. Before I write a bunch of stuff for this, I wanted to see if anyone had any thoughts (or code!) regarding how to accomplish some of this stuff that auditors want to see. Her

Re: [Freeipa-users] What does the "u" mean in IPA messages?

On Thu, Feb 28, 2013 at 5:01 PM, John Dennis wrote: > On 02/28/2013 05:34 PM, KodaK wrote: > BTW, why are you parsing diagnostic output? I haven't actually started yet, I was just getting my bearings. I was going to wrap the commands in some scripts so I can do things like allow an

Re: [Freeipa-users] What does the "u" mean in IPA messages?

On Thu, Feb 28, 2013 at 3:27 PM, John Dennis wrote: > On 02/28/2013 04:18 PM, KodaK wrote: >> >> When performing an operation with the IPA tools, I get a message every >> time similar to this: >> >> ipa: INFO: Forwarding 'hbactest' to server u'ht

[Freeipa-users] What does the "u" mean in IPA messages?

When performing an operation with the IPA tools, I get a message every time similar to this: ipa: INFO: Forwarding 'hbactest' to server u'https://ipaserver/ipa/xml' What does it mean? I've never seen it say anything other than "u" (that I've noticed.) A pointer to documentation is preferred, bu

[Freeipa-users] proper way to clear sssd cache without sss_cache?

I know that at some point the sssd package (or maybe the tools package) started including sss_cache for managing the sssd cache. I have some RHEL5 boxes that don't have this utility. I've been stopping the sssd service, deleting the contents of /var/lib/sss/db/ and then restarting and things seem

Re: [Freeipa-users] IPA with ILO

On Fri, Feb 22, 2013 at 10:05 AM, Han Boetes wrote: > Hi Kodak, > > The question is: Which authentication mechanisms does HP ILO support? Their documentation kind of blurs the lines. It appears that the only directory that exists (according to HP) is AD, so they freely mix LDA

[Freeipa-users] IPA with ILO

Just curious if anyone has configured HP ILO to authenticate against IPA. I'm just starting out and the fact that the ILO configuration screen has a section for a "SID" has me a bit concerned. -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public k

Re: [Freeipa-users] Trouble creating replica

On Wed, Feb 20, 2013 at 8:41 AM, Bret Wortman wrote: > Eureka! > > Someone had deleted the contents of /etc/dirsrv/slapd-PKI-IPA/dse.ldif. I > replaced it from a saved copy and now everything's working as expected. > > Thanks everyone for your contributions, patience, and indulgence. And for > a w

[Freeipa-users] Adding other users to a user's created default group

I suspect the answer to this is "no," but I'm asking anyway: Let's say I have an IPA user named "bob." When bob was created, IPA created a matching GID for him. Is it possible, through IPA, to add another user to that GID? If not, and I add another user to that GID by directly manipulating LDAP

Re: [Freeipa-users] IPA w/ Puppet?

On Fri, Feb 15, 2013 at 11:25 AM, Lynn Root wrote: > Hi all - > > I'm curious if anyone has written Puppet manifests for managing an IPA > domain. If so, I'd like to pester you to take a peek at those manifests. > More curious on the overall automated management process than anything > specific. >

Re: [Freeipa-users] Service accounts and groups

On Thu, Feb 7, 2013 at 1:46 PM, Steven Jones wrote: > Hi, > > I have had little to do with permissions until now so bear with me if the Qs > are obviously stupid, probably not really IPA but a linux blind spot I > haveanyway, > > So I have a service account with its group this runs a databas

Re: [Freeipa-users] Testing out FreeIPA

On Wed, Feb 6, 2013 at 2:13 PM, Shawn wrote: > Is their any centos5/centos6 packages available? Yup. yum search ipa should show you them. I don't run Centos here, so I don't know if the packages are called ipa or freeipa. --Jason ___ Freeipa-users m

Re: [Freeipa-users] Backup and Restoration of IPA Server

I use the following to dump my LDAP databases: #!/bin/sh /usr/lib64/dirsrv/slapd-PKI-IPA/db2ldif.pl -D "cn=directory manager" -j /var/lib/dirsrv/scripts-YOUR-KERB-REALM/dmanager.credentials -n ipaca -a /var/lib/dirsrv/slapd-PKI-IPA/bak/ipaca.`/bin/date +%Y%m%d%H%M%S`.ldif /var/lib/dirsrv/scripts-Y

Re: [Freeipa-users] Adding an IPA user that can't SSH?

On Fri, Jan 25, 2013 at 10:43 AM, Dmitri Pal wrote: > AFAIK there is also some kind of "no shell" capability in SSH which might be > useful in this case but I am not a specialist in this area. You can do this a few ways, but the easiest (IMO) is something like this in sshd_config: Match User li

Re: [Freeipa-users] non-expiring password policy (or as close as I can come)

On Thu, Jan 24, 2013 at 5:05 PM, Sigbjorn Lie wrote: > A calender will be shown to choose a date and time for simplicity if you > download and use the Apache Directory Studio > (http://directory.apache.org/studio/) to edit the krbPasswordExpiration > attribute for an user account. It works well.

Re: [Freeipa-users] non-expiring password policy (or as close as I can come)

On Thu, Jan 24, 2013 at 4:03 PM, Rob Crittenden wrote: > It is a 32-bit time problem. > > I'd set the maxlife no higher than 5000 for now. Thanks. Is there a way to apply this policy retroactively without requiring my users to reset passwords? --Jason __

[Freeipa-users] non-expiring password policy (or as close as I can come)

I have a need to have certain mission critical application accounts non-expiring (people don't log in directly, but if the accounts expire it could stop production jobs.) I've set "Max lifetime (days)" to 9 in the web interface, but here's what I see when I do "ipa pwpolicy show": Group: ap

Re: [Freeipa-users] Best OS to use with FreeIPA?

On Mon, Jan 21, 2013 at 2:28 PM, Steven Jones wrote: > Hi, > > My experience with IPA over the last year is, I wouldn't use this in a > production environment without full vendor support. I can't agree with this more. I can't imagine running this in a production environment without support. If

[Freeipa-users] When will IPA v3 be available in RHEL?

This is a surprisingly difficult thing to google for. I'd really like to roll out an AD trust, but I want to stay within RHEL support. Approximate is fine, I just want to know if I can plan for it sometime this year or not. -- The government is going to read our mail anyway, might as well make i

Re: [Freeipa-users] anyone know how to do sssd filters?

On Tue, Dec 18, 2012 at 10:38 AM, KodaK wrote: > On Tue, Dec 18, 2012 at 9:17 AM, Jakub Hrozek wrote: >> On Tue, Dec 18, 2012 at 09:07:25AM -0600, KodaK wrote: >>> On Tue, Dec 18, 2012 at 3:51 AM, Jakub Hrozek wrote: >>> > On Tue, Dec 18, 2012 at 10:39:56AM +0100,

Re: [Freeipa-users] anyone know how to do sssd filters?

On Tue, Dec 18, 2012 at 9:17 AM, Jakub Hrozek wrote: > On Tue, Dec 18, 2012 at 09:07:25AM -0600, KodaK wrote: >> On Tue, Dec 18, 2012 at 3:51 AM, Jakub Hrozek wrote: >> > On Tue, Dec 18, 2012 at 10:39:56AM +0100, Jakub Hrozek wrote: >> >> On Mon, Dec 17, 2012 a

Re: [Freeipa-users] anyone know how to do sssd filters?

On Mon, Dec 17, 2012 at 3:03 PM, Dmitri Pal wrote: > On 12/17/2012 03:11 PM, KodaK wrote: >> I'm attempting to install Satellite in my IPA domain. There is a >> ridiculous requirement that the group "dba" must not already exist >> prior to installing. Red H

Re: [Freeipa-users] anyone know how to do sssd filters?

On Tue, Dec 18, 2012 at 3:51 AM, Jakub Hrozek wrote: > On Tue, Dec 18, 2012 at 10:39:56AM +0100, Jakub Hrozek wrote: >> On Mon, Dec 17, 2012 at 04:03:03PM -0500, Dmitri Pal wrote: >> > On 12/17/2012 03:11 PM, KodaK wrote: >> > > I'm attempting to install Sate

[Freeipa-users] anyone know how to do sssd filters?

I'm attempting to install Satellite in my IPA domain. There is a ridiculous requirement that the group "dba" must not already exist prior to installing. Red Hat support wanted me to *remove* the DBA group and then install. Anyway, I'm trying to play around with filter_groups in sssd, and I can't

Re: [Freeipa-users] Different primary group on different machines.

On Thu, Oct 25, 2012 at 2:30 PM, Dmitri Pal wrote: > On 10/25/2012 03:11 PM, KodaK wrote: >> On Thu, Oct 25, 2012 at 12:35 PM, Dmitri Pal wrote: >>> On 10/25/2012 11:49 AM, KodaK wrote: >>>> I've been having users use the "newgrp" command to change t

Re: [Freeipa-users] Different primary group on different machines.

On Thu, Oct 25, 2012 at 12:35 PM, Dmitri Pal wrote: > On 10/25/2012 11:49 AM, KodaK wrote: >> I've been having users use the "newgrp" command to change their >> primary group on different machines. >> >> I've poked around in the docs a bit and I do

[Freeipa-users] Different primary group on different machines.

I've been having users use the "newgrp" command to change their primary group on different machines. I've poked around in the docs a bit and I don't see this addressed. I know, I know: "if it works, use it" -- but I'm wondering if I'm just missing a way to do it with IPA, or if there's another wa

Re: [Freeipa-users] slow ssh

On Mon, Sep 10, 2012 at 4:16 PM, Steven Jones wrote: > Hi, > > Not sure if this is an IPA issue but Im finding ssh takes long time to login. > It looks like ssh is querying IPA for authentication mechanisms?...if so can > I simply turn this off? and if so how? "Slow" SSH is (in my experience,

Re: [Freeipa-users] Desperate help requested.

Thank you everyone. We finally had our meeting today (it was delayed from Tuesday.) It went much better than I was expecting. Regardless of the email that said "we can't authenticate to anything but MS AD," apparently his *actual* concern was having a third party tie-in to Active Directory that

Re: [Freeipa-users] Desperate help requested.

Thanks, everyone, for your input. It has helped tremendously. --Jason -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 ___ Freeipa-users mailing list Freeipa-users@redhat.com http

[Freeipa-users] Desperate help requested.

I've just been informed by my boss's boss's boss that, and I quote from his ridiculous email: "we cannot use anything other than MS AD for authentication" I've spent months of time and much effort rolling out IPA, consolidating authentication across our Linux and AIX machines. To paraphrase Babb

Re: [Freeipa-users] Specifying load balancing to SSSD clients

On Tue, Aug 21, 2012 at 2:50 AM, Innes, Duncan wrote: >I can't be alone in deploying IPA in a network already "dominated" by AD. You're certainly not. In my case it appears the Windows people have done everything they can to sabotage my efforts to implement SSO in unix-land that they can do with

Re: [Freeipa-users] Unable to get sudo commend to work...

t; > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > > From: KodaK [sako...@gmail.com] > Sent: Wednesday, 15 August 2012 9:41 a.m. > To: S

Re: [Freeipa-users] Unable to get sudo commend to work...

OK, so it works if you allow all hosts, but fails if you specify a host. This leads me to believe that the host may not "know" who it is. Run the gamut on local hostname configuration: Check /etc/hosts, is the host listed with the FQDN first? Check "hostname" -- it should report the FQDN. Check

  1   2   >