ok for the presence or
absence of sss in nsswitch.conf after running any of these scripts, since
that seems to be the most common issue.
On Thu, Sep 3, 2015 at 3:17 AM, Alexander Bokovoy
wrote:
> On Wed, 02 Sep 2015, Prasun Gera wrote:
>
>> I have zero confidence in any of the install and
Any ideas why the replica's certs are not being tracked ? That looks like
an issue in itself. If they are not being tracked, the replica will fail
once they expire. Is there any way to fix the replica ?
On Sun, Apr 23, 2017 at 10:08 PM, Prasun Gera wrote:
> I tried that, but the r
notwithstanding, I am not a big fan of the email being published at all.
On Thu, Apr 27, 2017 at 11:10 PM, Lachlan Musicman
wrote:
> On 24 April 2017 at 12:24, Prasun Gera wrote:
>
>> That doesn't work very well. The spam bots use different emails. And
>> gmail marks the e
HA256
>
> Mark as spam, and they gone from my inbox. :)
>
> On 04/23/2017 05:10 PM, Prasun Gera wrote:
> > This still continues to be a problem. Was any solution identified
> > for this ? Why are the emails not obfuscated on the public archives
> > ?
> &
I tried that, but the replica's "getcert list" doesn't seem to show any
results. "Number of certificates and requests being tracked: 0." Is that
expected ?
On Sun, Apr 23, 2017 at 8:50 PM, Fraser Tweedale
wrote:
> On Sun, Apr 23, 2017 at 03:32:19AM -0400, Prasu
This still continues to be a problem. Was any solution identified for this
? Why are the emails not obfuscated on the public archives ?
On Tue, Dec 27, 2016 at 7:32 AM, Martin Basti wrote:
>
>
> On 27.12.2016 13:22, Outback Dingo wrote:
>
>> Im still getting nude porn spam emails and pics from a
31:16PM -0400, Prasun Gera wrote:
> > I can confirm that I see this behaviour too. My ipa server install is a
> > pretty stock install with no 3rd party certificates.
> >
> > On Thu, Apr 20, 2017 at 5:46 PM, Simon Williams <
> > simon.willi...@thehelpfulcat.com&
I can confirm that I see this behaviour too. My ipa server install is a
pretty stock install with no 3rd party certificates.
On Thu, Apr 20, 2017 at 5:46 PM, Simon Williams <
simon.willi...@thehelpfulcat.com> wrote:
> Yesterday, Chrome on both my Ubuntu and Windows machines updated to
> version 5
Any systemd experts that can help in figuring out what's going on here ?
Here's a shortened log up to that error if it makes it more convenient:
https://gist.github.com/pgera/00f1ae31f77b9e9aa652db2be0e29574
On Fri, Feb 17, 2017 at 8:40 PM, Prasun Gera wrote:
> I now have a detai
might highlight if something
has changed in the start sequence.
On Thu, Nov 10, 2016 at 12:35 PM, Petr Vobornik wrote:
> On 11/09/2016 12:53 PM, Prasun Gera wrote:
> > It looks like something is messed up in the systemd configuration after
> 7.3. My
> > system doesn't
It looks like something is messed up in the systemd configuration after
7.3. My system doesn't boot at all. The boot screen would display the
message: "Failed to register match for Disconnected message: Connection
timed out". After some trial and error, I've managed to boot it. Here's
what works ri
Thanks Martin. That bug report is private. I take it that it's not very
serious ?
On Mon, Nov 7, 2016 at 3:12 AM, Martin Babinsky wrote:
> On 11/07/2016 01:31 AM, Prasun Gera wrote:
>
>> Getting this in yum check all after update to 7.3
>>
>> ipa-client-4.4.
Getting this in yum check all after update to 7.3
ipa-client-4.4.0-12.el7.x86_64 has installed conflicts freeipa-client:
ipa-client-4.4.0-12.el7.x86_64
ipa-client-common-4.4.0-12.el7.noarch has installed conflicts
freeipa-client-common: ipa-client-common-4.4.0-12.el7.noarch
ipa-common-4.4.0-12.el7
>
> There appears to be only one case where NAME_EXP is returned: when the
> client.expiration field is passed (not client.pw_expiration)
>
> I think "expiration" must equate to the "principal expiration" in IPA. But
> only regular password expiry would give you the option of changing it.
>
>
Thank
in. I don't have an account in this
failed state currently, but is it possible to force password expiration in
order to reproduce this again ? Something like "ipa user-mod myuser
--setattr=krbpasswordexpiration=" should work, right ?
On Tue, Oct 25, 2016 at 3:54 AM, Brian Candler wro
I've seen some different behaviour. I've had errors for users (including
the admin user) trying to log in with possibly an expired password. Both
webui and ssh would fail, but kinit would work. I'm not sure if this is
related to the password's expiration or the account's expiration. My
/var/log/sec
I need to set SELinux to enforcing to get the relevant SSSD logs, right ?
On Thu, Sep 29, 2016 at 3:42 AM, Sumit Bose wrote:
> On Thu, Sep 29, 2016 at 12:47:34AM -0400, Prasun Gera wrote:
> > I started seeing some selinux errors on one of my RHEL 7 clients recently
> > (possibly
I started seeing some selinux errors on one of my RHEL 7 clients recently
(possibly after a recent yum update ?), which prevents users from logging
in with passwords. I've put SELinux in permissive mode for now. Logs follow
SELinux is preventing /usr/libexec/sssd/krb5_child from read access on th
ipa-client-automount command would not even start it it was
>> executed on the ipa server.
>>
>>
>> thanks everyone!
>>
>> ms
>>
>>
>>
>> *From:* Prasun Gera > <mailto:prasun.g...@gmail
-automount command would not even
> start it it was executed on the ipa server.
>
>
> thanks everyone!
> ms
>
> --
> *From:* Prasun Gera
> *Sent:* Friday, August 26, 2016 4:02 PM
> *To:* Rob Crittenden
> *Cc:* m s; freeipa-users@red
ipa-client-automount --uninstall was(is?) a bit broken in that it tries to
revert back to an older configuration, but it can accidentally revert it to
a state before the ipa-client was installed (as opposed to the state where
automount was installed). Check your nssswitch.conf file and compare it t
Ubuntu 12.04 won't work very well out of the box. You can get it to work
with the freeipa and sssd ppas, but you'll still need some small hacks on
top of it. 14.04 is much better, and 16.04 is presumably the best in terms
of things working out of the box.
On Fri, Jul 15, 2016 at 3:59 AM, Jakub Hro
There were issues with 3rd party certs as of RHEL 7.2/4.2. If this is fixed
in 7.3, that would be great, especially for Lets Encrypt certs (even
without auto-renewal)
On Fri, Jul 1, 2016 at 5:15 AM, Andreas Ladanyi
wrote:
> Hi,
> > For the time being and as far as I can see until IPA 4.3.1, the
Thanks. I'll wait for RHEL 7.3 then.
On Thu, Jun 23, 2016 at 4:27 PM, Simo Sorce wrote:
> On Thu, 2016-06-23 at 14:11 -0400, Prasun Gera wrote:
> > Image attached. I don't use Windows much, but I noticed this on a windows
> > machine with Chrome. Before the actual logi
=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=krb5,clientaddr=10.254.1.168,local_lock=none,addr=10.254.1.167)
>
> $ ssh nfsclient
> Creating home directory for afayzullin.
> Last login: Tue Jun 7 17:34:14 2016
> Could not chdir to home directory /home/afayzullin: No such file or
&
On Fri, May 27, 2016 at 10:19 PM, Rob Crittenden > <mailto:rcrit...@redhat.com>> wrote:
> >
> > Prasun Gera wrote:
> >
> > I've identified the problem. The uris seem to be incorrect. This
> looks
> > like some substitution gone
.com.
On Fri, May 27, 2016 at 10:19 PM, Rob Crittenden
wrote:
> Prasun Gera wrote:
>
>> I've identified the problem. The uris seem to be incorrect. This looks
>> like some substitution gone wrong. Instead of using the actual ipa
>> server's address, it p
016 at 7:22 PM, Prasun Gera wrote:
> It looks like that issue was fixed and the OCSP and CRL uris in the certs
> are now http. So I'm not sure why java is complaining.
>
> On Fri, May 27, 2016 at 7:03 PM, Prasun Gera
> wrote:
>
>> I've set up a couple of dell idr
It looks like that issue was fixed and the OCSP and CRL uris in the certs
are now http. So I'm not sure why java is complaining.
On Fri, May 27, 2016 at 7:03 PM, Prasun Gera wrote:
> I've set up a couple of dell idrac card's ssl certs signed by ipa CA. I've
> also
I've set up a couple of dell idrac card's ssl certs signed by ipa CA. I've
also added the ipa CA to java's trusted CAs. However, when you try to
launch the idrac java console, it will still show an error that the site is
untrusted. Upon clicking on "more information", the message says that
although
You can stop the autofs daemon, and run it in foreground with automount
-fvv. Then try to access the mount point in parallel. The logs from the
foreground run should shed some light. Also, does your autofs setup work
without kerberos ? As a first step it to work with non-kerberised nfs.
On Mon, Ma
If it's the admin account, there would be a pretty good likelihood of
bruteforce attempts if your server is on the internet. One option is to
rename it to something else.
On 17 May 2016 11:36 a.m., "Rich Megginson" wrote:
> On 05/17/2016 08:18 AM, Rob Crittenden wrote:
>
>> John Duino wrote:
>>
>
ld
not delete change record 404057 (rc: 32)
[11/May/2016:23:19:52 -0400] DSRetroclPlugin - delete_changerecord: could
not delete change record 404058 (rc: 32)
... lots of similar messages
On Thu, May 12, 2016 at 4:25 AM, Ludwig Krispenz
wrote:
>
> On 05/12/2016 05:28 AM, Prasun Gera wro
Hi everyone,
I had a pretty similar failure on my replica yesterday. The replica was not
reachable, and I asked someone to have a look at the system. They
presumably rebooted it. When it came back up, ipactl wouldn't start, and
the symptoms were pretty similar to those described in this thread. I
f
It turns out that this was a permissions issue. Everything works now.
Thanks.
On Sat, Apr 30, 2016 at 11:26 PM, Prasun Gera wrote:
> Ah, this doesn't work on ubuntu (14.04). The command itself works, but
> sshd on ubuntu isn't probably compiled with support for thi
y way to get this working
on ubuntu 14.04 ?
On Fri, Apr 29, 2016 at 12:30 PM, Anon Lister wrote:
> Yep sorry I missed that. You need to put your public keys in IPA.
> On Apr 29, 2016 3:32 AM, "Jakub Hrozek" wrote:
>
> On Thu, Apr 28, 2016 at 09:14:48PM -0400, Prasun Gera wrot
>
> Your can still authenticate with SSH keys, but to access any NFS 4 shares
> they will need a Kerberos ticket, which can be obtained via a 'kinit' after
> logging in.
>
Then how does the key authentication work if the .ssh directory on nfs4 is
not accessible ? Doesn't the key authentication pr
>
> Moreover, if you login through an SSH key, you don't get a ticket on
> login and you can't kinit, so you can't access any network resources
> anyway..
>
>
A bit off topic, but a related question:
How does nfsv4 work with ssh keys ? Does it mean that you can't use ssh
keys if /home is nfsv4 moun
sting case.
On Wed, Apr 13, 2016 at 3:28 AM, Jakub Hrozek wrote:
> On Wed, Apr 13, 2016 at 12:30:56AM -0400, Prasun Gera wrote:
> > My main ipa server used to be an NIS server. After migrating everything
> > into ipa, there is no need for the users and groups to exist in
> /e
My main ipa server used to be an NIS server. After migrating everything
into ipa, there is no need for the users and groups to exist in /etc/passwd
and /etc/group. Leaving them around would cause duplicate entries,
passwords falling out of sync and other issues on the server. So the right
approach
I have a master + replica setup on RHEL 7.2 (ipa 4.2). When this was setup,
most of the clients were on NIS, and hence the nis compatibility and
migration mode was enabled. The NIS maps in use right now are passwd, group
and autofs. Passwords were set to CRYPT for this to work. I have managed to
jo
NFS and ipa are sort of orthogonal unless you mix nfsv4 with kerberos. If
you aren't using kerberos, and don't need kerberos, then the nfs home setup
is pretty straightforward. ipa just controls authentication. If you have a
simple enough environment, you can just add your nfs mounts in the fstab o
=814314
>
> Maybe someone could be interested in Salt formula we are using to setup
> Freeipa server/client: https://github.com/tcpcloud/salt-formula-freeipa
>
> Filip
>
> On 2016/02/13 17:40, Prasun Gera wrote:
> > Just replying to this thread to express interest in good clie
Just replying to this thread to express interest in good client support in
Ubuntu. As 16.04 draws close to a release, it would be great if the client
side of things work well out of the box in 16.04 without any 3rd party
ppas. 12.04 was pretty bad, 14.04 was mostly usable with some issues. I'm
hopi
gt;
>
>
> *From:* freeipa-users-boun...@redhat.com [mailto:
> freeipa-users-boun...@redhat.com] *On Behalf Of *Prasun Gera
> *Sent:* Thursday, February 04, 2016 8:19 AM
> *To:* freeipa-users@redhat.com
> *Subject:* [Freeipa-users] client/authentication inside a docker container
&g
On Thu, Feb 4, 2016 at 10:56 AM, Jan Pazdziora
wrote:
> On Thu, Feb 04, 2016 at 10:19:16AM -0500, Prasun Gera wrote:
> > I am trying to set up a docker image with a specific development
> > environment. We use idm 4.2 for authentication, and non-kerberized nfs
> > (inc
I am trying to set up a docker image with a specific development
environment. We use idm 4.2 for authentication, and non-kerberized nfs
(including home) for data storage on the hosts. The goal is to run the
docker container such that when the user calls docker run, it just drops
into a shell with t
Can someone at RH update this article
https://access.redhat.com/articles/1467293 ? I found it to be fairly
useful, but I'm not sure if it's up to date.
On Thu, Jan 28, 2016 at 11:04 AM, Terry John <
terry.j...@completeautomotivesolutions.co.uk> wrote:
> Ok thanks for that but I've had to give up,
This is great. Can you post instructions for getting Let's Encrypt working
on 4.2.x ? I had created a thread, but I eventually got stuck, and it felt
a bit risky to modify low level things on a production system.
This is the thread for reference:
https://www.redhat.com/archives/freeipa-users/2015-
This is an old thread, but I can confirm that this is still an issue on
RHEL 7.2 + 4.2. This creates problems when there are roles associated with
groups, but group membership through GID is broken. I had migrated all old
NIS accounts into ipa. I then added the host enrollment role to a
particular
Great! I hope it makes it downstream to RHEL.
On Wed, Jan 13, 2016 at 4:27 PM, Alexander Bokovoy
wrote:
> On Wed, 13 Jan 2016, Prasun Gera wrote:
>
>> They are authenticated using CRYPT passwords. i.e. Even after a user is
>> disabled in ipa, it's entry is still visible
They are authenticated using CRYPT passwords. i.e. Even after a user is
disabled in ipa, it's entry is still visible in ypcat passwd on the
clients.
On Wed, Jan 13, 2016 at 4:17 PM, Alexander Bokovoy
wrote:
> On Wed, 13 Jan 2016, Prasun Gera wrote:
>
>> I think I've sol
on ?
On Mon, Jan 11, 2016 at 9:21 PM, Prasun Gera wrote:
> This is the output of the command:
>
> ldapsearch -LLL -H $(cat /etc/ipa/default.conf | grep ldap_uri|cut -d=
> -f2) -b cn=config '(nis-domain=*)' dn CreateTimestamp ModifyTimestamp
> SASL/EXTERNAL authentication s
ients.
On Mon, Jan 11, 2016 at 4:21 PM, Alexander Bokovoy
wrote:
> On Mon, 11 Jan 2016, Prasun Gera wrote:
>
>> I upgraded ipa to 4.2 on my rhel 7.2 servers a few weeks ago. One of the
>> users reported that he is not able to log in to certain systems any more.
>> It turn
I upgraded ipa to 4.2 on my rhel 7.2 servers a few weeks ago. One of the
users reported that he is not able to log in to certain systems any more.
It turns out that there is some change in behaviour w.r.t NIS clients after
this upgrade. I see that his username is not visible in "ypcat passwd" on
th
I would like to understand this better too. I'm not using kerberized NFS.
I'm using regular nfs for user home dirs as well as other mount points,
which used to work quite well with autofs + NIS. For the most part it works
fine with ipa too. However, I have occasionally faced problems with autofs
no
Before I try this on the actual node, would it be better to roll back the
last yum transaction ? I want to do whatever is safer.
On Wed, Dec 9, 2015 at 8:14 AM, Martin Basti wrote:
>
>
> On 09.12.2015 16:32, Prasun Gera wrote:
>
> Ran yum update today. Pulled in
> <https://
te:
> Run upgrade manually, this is just error in checking function, obviously
> 4.2.0-15.el7_2.3 is never than 4.2.0-15.el7
>
>
> On 09.12.2015 17:21, Prasun Gera wrote:
>
> Before I try this on the actual node, would it be better to roll back the
> last yum transaction ? I wa
Ran yum update today. Pulled in
https://rhn.redhat.com/errata/RHBA-2015-2562.html.
Seeing this error:
2015-12-09T15:21:02Z DEBUG The ipa-server-upgrade command failed,
exception: ScriptError: ("Unable to execute IPA upgrade: data are in newer
version than IPA (data version '4.2.0-15.el7', IPA ver
Have a look at a recent thread that I had started. You might be able to do
it manually for http/ldap certs. However, there were some issues which I
haven't figured out yet. You might have better luck. Anyone should be able
to try it out given that LE enters public beta in a couple of days.
On Mon,
e there any other side effects ? I won't be using
this for ldap certs.
4) How would I revert to IPA signed certs with automatic renewal if I want
to ? i.e. Reverting to stock configuration
On Wed, Nov 11, 2015 at 8:33 AM, Rob Crittenden wrote:
> Fraser Tweedale wrote:
>
>> O
On Tue, Nov 10, 2015 at 5:04 PM, Fraser Tweedale
wrote:
> On Tue, Nov 10, 2015 at 03:44:19PM -0800, Prasun Gera wrote:
> > No it didn't quite work.
> >
> > I ran ipa-server-certinstall -w /etc/letsencrypt/live/
> > example.com/privkey.pem /etc/letsencryp
ssfully after that. However, the webui hadn't configured the
certificates properly. At this point, I just restored my backups
of /etc/httpd/conf.d/ and /etc/httpd/alias/, which brought things back to
where things were earlier. I think it would be better to do these
experiments on a test bed first.
O
e.com/fullchain.pem
On Tue, Nov 10, 2015 at 3:31 PM, Fraser Tweedale
wrote:
> On Tue, Nov 10, 2015 at 03:12:04PM -0800, Prasun Gera wrote:
> > I tried using let's encrypt's certs manually, but I think I'm missing
> > something. Let's encrypt creates th
't able to get it to work. That page says, "The certificate in
mysite.crt must be signed by the CA used when installing FreeIPA." Since my
ipa installation uses the default internal CA, how do I get lets encrypt's
certs signed by the ipa CA ? Is that the missing step ?
On Sat, No
package would also have the added benefit of settings remaining up to
date without manual intervention as standards evolve.
On Thu, Nov 5, 2015 at 9:23 PM, Fraser Tweedale wrote:
> On Thu, Nov 05, 2015 at 11:52:32PM -0500, Rob Crittenden wrote:
> > Prasun Gera wrote:
> > >
mption (caching)*No (IDs assigned but not accepted)*
Are these relevant/serious ? Can they be mitigated ?
On Thu, Nov 5, 2015 at 6:51 AM, Rob Crittenden wrote:
> Prasun Gera wrote:
> > Yes, that's what I was planning to do. i.e. Convert cipher names from
> > SSL to NSS. I w
nerated DH parameters instead of standard ones ? For SSL, the suggested
modification to the config is 'SSLOpenSSLConfCmd DHParameters "{path to
dhparams.pem}"' after generating the params.
On Wed, Nov 4, 2015 at 8:21 PM, Fraser Tweedale wrote:
> On Wed, Nov 04, 2015 at 05
capped to C.
This server accepts the RC4 cipher, which is weak. Grade capped to B.
The server does not support Forward Secrecy with the reference browsers.
On Wed, Nov 4, 2015 at 4:44 PM, Fraser Tweedale wrote:
> On Wed, Nov 04, 2015 at 03:20:22PM -0800, Prasun Gera wrote:
> > I'm us
I'm using idm (4.1.x) on a RHEL 7.1 with the webui accessible publicly. I'm
using a stock configuration which uses the certs signed by ipa's CA for the
webui. This is mostly for convenience since it manages renewals seamlessly.
This, however, requires users to add the CA as trusted to their browser
plica server in the selinux disabled state didn't set up the selinux
related stuff properly, which manifested later when i set it to enforcing
mode.
On Sat, Oct 24, 2015 at 9:13 PM, Rob Crittenden wrote:
> Prasun Gera wrote:
> > I've done that now in addition to the few fixe
o had to do sudo setsebool -P httpd_manage_ipa 1
On Sat, Oct 24, 2015 at 10:51 AM, Lukas Slebodnik
wrote:
> On (23/10/15 20:57), Prasun Gera wrote:
> >selinux was disabled for some reason when the ipa server(replica) was
> >installed. I enabled it, and see that there are a lo
selinux was disabled for some reason when the ipa server(replica) was
installed. I enabled it, and see that there are a lot of selinux related
permissions problems in syslog. Is this a known issue ? I tried fixing some
of them manually, but i would like a better approach.
--
Manage your subscripti
I was facing similar issues, and ended up changing the username from admin
to something else since admin is a common name in brute force ssh attacks.
It was getting locked out in spite of using fail2ban. I guess fail2ban can
be tweaked to block the host before ipa blocks the admin account, but I
di
ep 10, 2015 at 6:03 AM, Prasun Gera wrote:
> The hardware is not very old (ivybridge). The entries appear every few
> minutes in the log. The /etc/ntp.conf has not been modified manually. It
> lists 3 servers - 0.rhel.pool.ntp.org, 1 and 2. At the end, there are
> also a couple of additio
rdware.
>
> On 10 September 2015 at 14:05, Prasun Gera wrote:
>
>> Thanks. I'm not virtualizing though. Should I still add it ?
>>
>> On Thu, Sep 10, 2015 at 5:02 AM, Andrew Holway
>> wrote:
>>
>>> Hi,
>>>
>>> I assume you are v
rver you are using?
> Are there any other machines on the same local network that are using this
> timeserver? Do they have problems?
>
>
>
>
> On 10 September 2015 at 14:18, Prasun Gera wrote:
>
>> So I did a bit of googling and tinker panic 0 only makes sense for
>
rtual clocks.
>
> Cheers,
>
> Andrew
>
> On 10 September 2015 at 13:46, Prasun Gera wrote:
>
>> OS: RHEL 7.1 w IDM
>>
>> I'm seeing these messages in my master's log messages. I don't know if
>> it's related, but I think I start
OS: RHEL 7.1 w IDM
I'm seeing these messages in my master's log messages. I don't know if it's
related, but I think I started seeing them after I set up a replica.
Everything seems to be working fine, but I'm worried that things will break
if delta grows beyond a point. I tried steps in
https://ac
2015 at 06:30:09PM -0700, Prasun Gera wrote:
> > FYI, I think the culprit (at least one of) is ipa-client-automount
> > --uninstall. This removes sss entirely from nssswitch, not just from the
> > automount section.
>
> Hmm, I haven't tested that but it sounds like a bug
FYI, I think the culprit (at least one of) is ipa-client-automount
--uninstall. This removes sss entirely from nssswitch, not just from the
automount section.
On Tue, Sep 1, 2015 at 11:56 AM, Prasun Gera wrote:
> So I've again spent a couple of hours debugging a very similar issue.
ing more robust which has transnational guarantees ?
On Sat, Jun 27, 2015 at 6:26 AM, Dmitri Pal wrote:
> On 06/24/2015 04:31 AM, Jakub Hrozek wrote:
>
>> On Wed, Jun 24, 2015 at 01:24:37AM -0700, Prasun Gera wrote:
>>
>>> Thanks. It's good to know that it is fixed
Did you clear out /var/lib/sss/db between re-installation of the client?
There was a bug which might not have been fixed downstream yet.
On Thu, Aug 20, 2015 at 1:21 PM, Chris Mohler wrote:
> Hi List,
> I'm still fairly new to this list and administrating FreeIPA.
>
> I had a very old version of
Did you try the */ipa/migration/* url for migrated users ?
On Fri, Aug 14, 2015 at 3:38 AM, Petr Vobornik wrote:
> On 08/13/2015 09:25 PM, Janelle wrote:
>
>> AHA!!!
>>
>> The problem is found, but the solution eludes me.
>> Any user "migrated" in compat mode has the problem. NEW users do not.
Where are you trying to create the home directories ? Is your NFS server
the same as the IPA server ? You can only create home directories on the
NFS home server unless the nfs-client sees the export option
"no_root_squash". That is not recommended though.
On Thu, Aug 13, 2015 at 9:49 AM, Youenn P
How smooth is the renewal process ? if the webui cert expires, does it
affect the core ipa functionality in any way ? Also, when ipa does it's own
auto-renewal, does it leave the webui alone if set up this way ?
On Wed, Jul 1, 2015 at 9:16 PM, Prashant Bapat wrote:
> I had the exact same require
>
> More importantly, ipa-client-install is just a thin configuration tool. If
> ipa-client-install is not available on your platform you can configure
> everything manually and it will work (as long as the client is
> standard-compliant).
>
> I.e. the client side is *in the worst case* (without ip
I've found that if you are setting up a new environment from scratch which
is mostly going to involve RHEL/Fedora systems, and that you have full
control over your network including DNS, DHCP etc., it should mostly be
smooth sailing. However, if you already have a network of old and new
machines ru
Thanks. It's good to know that it is fixed upstream. For discussion though,
are any enhancements planned for dealing with installation/removal of ipa ?
On Wed, Jun 24, 2015 at 12:49 AM, Jakub Hrozek wrote:
> On Tue, Jun 23, 2015 at 10:46:14PM -0700, Prasun Gera wrote:
> > Af
Version: idm 4.x on rhel 7.1
Yet again, I've discovered a problem with residual state left behind by ipa
client install and uninstall scripts. I was having some trouble with
autofs+sssd leading to users not being mapped correctly (got nobody users
for everything). So I tried theipa-client-automoun
I had faced a similar issue a month ago, for which I had created a ticket.
https://fedorahosted.org/freeipa/ticket/4956
On Fri, Jun 5, 2015 at 7:30 AM, Alexander Bokovoy
wrote:
> On Fri, 05 Jun 2015, Christopher Lamb wrote:
>
>> Hi Martin
>>
>> Thanks for updating the documenation!
>>
>> The sug
015, at 09:55, Martin Kosek wrote:
> >>
> >> We will get someone review the chapter again, to remove the
> uncertainty. Would
> >> you then be willing to proof-read the result?
> >>
> >>> On 04/14/2015 10:37 AM, Prasun Gera wrote:
> >>> T
operly, I assume you would need have some notification
> mechanism
> deployed on FreeIPA server, that would trigger the home directory creation
> on
> the server.
>
> (We have a ticket for it: https://fedorahosted.org/freeipa/ticket/1593)
>
> On 04/13/2015 08:58 PM, Prasun Gera
squah for the mount on the IPA server. If someone has achieved this
functionality, can you share your experience ?
On Fri, Apr 10, 2015 at 1:05 PM, Prasun Gera wrote:
> Here's the link:
>
>
> https://access.redhat.com/documentation/en-US/Red_Hat_E
live with DES crypt if one wants to do a staged migration from NIS.
On Fri, Apr 3, 2015 at 9:06 AM, Simo Sorce wrote:
> On Thu, 2015-04-02 at 17:33 -0400, Prasun Gera wrote:
> > I had a look at ldap/servers/plugins/pwdstorage/crypt_pwd.c, and it looks
> > like it is hardcoded
recent glibcs supports them. Would it make sense to add the other options
to the encoding function ?
On Thu, Apr 2, 2015 at 3:27 AM, Prasun Gera wrote:
> I tried enabling crypt for experimentation, and things seem to work well
> for both NIS and SSSD clients. I noticed that the crypt format th
encodings which allow MD5, SHA256 and SHA512 (
https://docs.python.org/3/library/crypt.html) . Is it possible to force one
of those as the storage scheme in the directory server ?
On Tue, Mar 31, 2015 at 12:04 PM, Prasun Gera wrote:
> I've figured it out. You are right. SSSD triggers key generat
s for
persisting with this. It's pretty clear how it works now.
On Tue, Mar 31, 2015 at 11:32 AM, Prasun Gera wrote:
>
>
>> ? SSSD does not seem to be involved as user is found in the /etc/passwd
>> and this SSSD should not do anything.
>>
>> It's not a local
> The idea is that you tel lall the users to either login via migration page
> or via SSSD.
> If your server is in a migration mode the migration page should be
> available and SSSD should detect that server is in migration mode.
> In this case any authentication via SSSD will end up creating prope
>
> Keys can be generated in migration in two ways: by the migration web UI
> or by sssd. I'm guessing you were unaware of this second method and that
> is how the keys are being created.
>
>
That's what I suspected too. But it doesn't look like SSSD is generating
keys. At least not right away. I S
1 - 100 of 116 matches
Mail list logo