Re: [Freeipa-users] Recovering from data-only backup doesn't recover Kerberos keys properly

Rob Crittenden <rcrit...@redhat.com> wrote: > David Kupka wrote: >> On 23/02/16 20:21, Marat Vyshegorodtsev wrote: >>> Hi! >>> >>> I've been doing backups using the tool like this: >>> ipa-backup --data --online >>> >>> I didn't wan

[Freeipa-users] Recovering from data-only backup doesn't recover Kerberos keys properly

Hi! I've been doing backups using the tool like this: ipa-backup --data --online I didn't want any configuration to be backed up, since it is managed from a chef recipe. However, when I tried to recover the backup to a fresh FreeIPA install, Kerberos (GSSAPI) broke — I can't authenticate myself

Re: [Freeipa-users] FREAK Vulnerability

ou my chef recipe snippets to configure it. On Thu, Jan 28, 2016 at 11:02 AM, Marat Vyshegorodtsev <marat.vyshegorodt...@gmail.com> wrote: > My two cents: > > My "magic" string for NSS is like this (I had to move to Fedora 23 > from CentOS in order to get more recent NSS ve

Re: [Freeipa-users] Service account to enroll hosts

: modify add: member member: uid=hostadmin,cn=sysaccounts,cn=etc,dc=contoso,dc=com On Thu, Jan 28, 2016 at 11:25 AM, Rob Crittenden <rcrit...@redhat.com> wrote: > Marat Vyshegorodtsev wrote: >> Tried that. >> >> Originally I had just a normal user of a role "Bu

Re: [Freeipa-users] Service account to enroll hosts

> nsIdleTimeout: 0 This didn't work (same error: not enough privileges), so I started experimenting with explicit privileges assignment by basically copying them from default "admin" user. Didn't work too. I wonder what am I doing wrong. On Thu, Jan 28, 2016 at 1:03 AM, Rob Cri

[Freeipa-users] Moving default "admin" user to service accounts

Hi! My FreeIPA deployment is a part of PCI cardholder data environment. Hence, I have to comply with with the requirements such as 8.1.1 (assign unique ID to each user) and 8.5 (do not use generic or shared IDs). I would like to move this user under service accounts (it may still be used by

Re: [Freeipa-users] FreeIPA Server with ECC certificate in LDAPS (389DS)

of TLSv1.2. As for now, I suggest writing it in docs and add a check to ipa CLI tools not to allow ECC certs. Marat 2015年11月6日(金) 17:50 Martin Kosek <mko...@redhat.com>: > On 11/05/2015 02:39 PM, Marat Vyshegorodtsev wrote: > > Hi! > > > > I've been fighting for the past w

[Freeipa-users] FreeIPA Server with ECC certificate in LDAPS (389DS)

the type of the certificate and enable appropriate algorithms in LDAP and Apache? Best regards, Marat Vyshegorodtsev -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project