On Sat, 2017-05-06 at 16:43 +0300, Markovich wrote:
> Hello everyone!
> We are unable to delete ipausers group: The default users group
> cannot be removed
> But we can rename it!
> After this, if u'd like to add new user u are going to get:
> {
> "error": {
> "code": 4001,
>
On Thu, 2017-05-04 at 18:02 +0200, Christopher Lamb wrote:
> Hi All
>
> Is the following statement correct?
>
> "If a kerberos client (e.g. a FreeIPA client) holds a service ticket
> to a service principal in its credentials cache, it no longer needs
> to interact with the KDC to access the
On Thu, 2017-04-13 at 17:16 +0300, Alexander Bokovoy wrote:
> On to, 13 huhti 2017, Simo Sorce wrote:
> >On Thu, 2017-04-13 at 08:05 -0400, Chris Dagdigian wrote:
> >> Hi folks,
> >>
> >> I've got a high performance computing (HPC) use case that will need A
option could also be to keep a (set of) keytab(s) you can copy on
the elastic hosts and preconfigure their sssd daemon. At boot you copy
the keytab in the host and start sssd and everything should magically
work. They all are basically the same identity so using the same key for
all of them may be acceptable.
On Thu, 2017-04-06 at 22:18 +0200, Stijn De Weirdt wrote:
> hi rob,
>
> > > i'm a bit puzzled by the following: i want to retrieve a user
> > > keytab
> > > using ipa-getkeytab -r (since the keytab for the same user was
> > > already
> > > retrieved on another host).
> > >
> > > when doing so, i
some light on this
> > requirement.
> >
> > Padding scheme for what exactly ?
> >
> > Simo.
> >
> > --
> > Simo Sorce * Red Hat, Inc * New York
> >
> >
>
>
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
On Thu, 2017-03-09 at 13:33 +0100, Kees Bakker wrote:
> On 09-03-17 13:26, Tomas Krizek wrote:
> > On 03/09/2017 01:19 PM, Kees Bakker wrote:
> > > On 09-03-17 12:08, Martin Basti wrote:
> > > > On 09.03.2017 11:12, Kees Bakker wrote:
> > > > > Hey,
> > > > >
> > > > > Is there an easy way to
On Tue, 2017-03-07 at 12:38 +0530, Kaamel Periora wrote:
> Dear All,
>
> It is required to identify the padding scheme used by the Fedora dogtag
> system. Appreciate of someone could shed some light on this requirement.
Padding scheme for what exactly ?
Simo.
--
Simo Sorce *
th sssd 1.13.4.
>
>
> sssd.conf is attached, of course. Every helpful comment is highly
> appreciated.
>
> Harri
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.
and none of that is set up by default.
We are planning to enable the integrated Samba server (which is used for
trusts only at the moment) to provide NTLM services for radius servers,
but it is not ready yet, although you may try to experiment with it.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
restingly the LDAP
> server should use the ds.keytab file instead of krb5.keytab.
>
> We need someone from DS team of with deep Kerberos/gssproxy knowledge to look
> into it.
>
> Simo, Ludwig, how can this happen?
As Martin said, incorrect configuration of DS makes it fall back to
se backend in a separate 389-ds
> instance.
Yes it is definitely a bug, but not an easy fix, please do file a bug,
however it will take some time before we can fix it.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
On Mon, 2016-12-12 at 05:04 -0500, Simo Sorce wrote:
> Dear freeipa-users,
> in an attempt to identify how the recent wave of spamming activity
> targets mailing list posters, I have temporarily disabled free access to
> the archives.
> This is not a permanent change an
Dear freeipa-users,
in an attempt to identify how the recent wave of spamming activity
targets mailing list posters, I have temporarily disabled free access to
the archives.
This is not a permanent change and public access will be restored
shortly.
Regards,
Simo.
--
Simo Sorce * Red Hat, Inc
This is an automated message to probe our subscribers email address, in order
to pinpoint the bot harvesting our emails.
Please disregard.
Freeipa-users list administrators.
Sorry David,
it is not clear to me what you are objecting to, please be more specific
or quote the specific part of my previous reply that you find
questionable.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat
Enough people complained they cannot cope with the change I made
recently.
So I am reverting this change and will try to find a better solution for
the spam issue the list user's are subject to.
Thanks for your understanding,
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
Manage your
in with Ipsilon and
> FreeIPA... Has anyone else tried this before? If so, are there any
> pitfalls or problems you have encountered or any general advise?
I think there are issues with the workflow Duo requires and the latency
(sending token via SMS and waiting for user to input).
Simo.
--
Simo Sorce
N/anonym...@pan-net.eu".
> kadmin.local:
Whether the principal has keys or not doesn't matter, pkinit
pre-authentication ignores the keys anyway.
> I've also tried all the above when the user's krb5.conf "realm"
> section was set with the following options
> pkinit_e
all --uninstall) and
then re-join after.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
istribute it to both server's http keytab so they can
decrypt incoming requests.
However your load balancer then also needs to stick with one server for
all requests coming from the same client, because we use session cookies
to maintain authentication and we do not share them between servers.
Simo
r its own computer account I would
think of adding it to the local user database, if you have to distribute
it via LDAP you'll have to create actual user accounts ion the directory
I guess.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
Manage your subscription for the Freeipa-users m
ond should "fix" them ...
unless you depended on the incorrect configuration in some way ...
--
Simo Sorce * Red Hat, Inc * New York
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
ex product but
> gave the user lots of possible customizations of the web ui and
> included workflows. Is that possible with ipa also?
With the latest FreeIPA versions it is possible to write plugins to
extend the Web UI, we are working on making it more straightforward, but
it has been done
ot just give it blanket access to
read everything from the directory and write every password, you should
limit it to users for example and not allow it to change service's or
host's "passwords".
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
Manage your subscription for the Freeipa-us
>> >
> >> > All this said, I think there is a valid RFE in allowing Kerberos
> >> > principal aliases to be consulted when validating a CSR. This would
> >> > mean you do not have to create new objects, just add more principal
> >> > names to the existing one. I filed a ticket:
> >> >
> >> > https://fedorahosted.org/freeipa/ticket/6432
> >> >
> >> > Alexander, Simo, what do you think?
> >> Certainly principal aliases should be checked if they were asked to be
> >> in SAN. The question is what type of the SAN extension should be
> >> considered for them in addition to Kerberos principal. The aliases are
> >> stored in their full format (alias@REALM), so either you need to do full
> >> match or consider dropping the realm for some types. This needs to be
> >> clarified before any implementation happens.
> >>
> >Right, UPN and KR5PrincipalName can be checked as-is.
> >
> >We should check dnsNames by affixing around the dnsName the same
> >service type (e.g. `HTTP') and realm as the nominated principal, and
> >looking for that in the aliases. e.g. for nominated principal
> >`HTTP/web.example@example.com', if there is a SAN dnsName
> >`www.example.com', we look for `HTTP/www.example@example.com' in
> >its aliases.
> >
> >Does this sound reasonable?
> >
> >No other GeneralName types shall be checked against principal
> >aliases, unless/until we support SRVName.
> Sounds reasonable for me, thanks.
+1
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
On Thu, 2016-09-01 at 09:33 +1000, Peter Fern wrote:
> On 01/09/16 08:35, Simo Sorce wrote:
> > Port 80 is not required, the only thing you'll find there is a redirect
> > to the HTTPS port.
>
> What about CRL/OCSP (and possibly others)? The Apache configs
> explicitly
? Has anyone attempted not opening port
> 80 from IPA Server to IPA Server and clients to IPA server?
> ipa-server-3.0.0-50.el6.1.x86_64
Port 80 is not required, the only thing you'll find there is a redirect
to the HTTPS port.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
Manage your
can't have this (if you want SSO and avoid headaches in general)
no matter what you do. You have to keep server names on separate
(sub)domains.
In some cases you can use CNAMEs though.
> Also, thanks for your other answers. They were very helpful :^)
You are welcome,
Simo.
> --David A
providing a GC service.
HTH,
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
http://freeipa.org for more info on the project
You can have a Realm named COMPANY.COM (AD) and a Realm named
FREEIPA.COMPANY.COM (IPA), as long as the AD Servers never had computer
objects or subdomains in the DNS domain freeipa.company.com in it.
If that's the case you can create a 1 way or 2 way trust
dy been answered, I tried google-fu and it
> didn't return anything useful.
> Using IPA 3.0 on Redhat 6.8
>
> Thanks
> -Brad
>
>
> -- Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users Go to
> http://freeipa.org for more info on the project
--
Simo Sorce * Red Hat, Inc * New York
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
> --David Alston
>
> -Original Message-
> From: Simo Sorce [mailto:s...@redhat.com]
> Sent: Friday, July 22, 2016 10:49 AM
> To: Alston, David
> Cc: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] Replicating users/groups from AD
>
the coexistence of FreeIPA and AD in a single DNS domain.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
n add something like:
> >
> >export KRB5CCNAME=$HOME/my_cc_cache
> ^
> Is FILE: considered as default or it need to be
> written as well for KRB5CCNAME
If no ccache type is specified the krb5 libs default to the FILE ccache
type.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
uide/id-views.html
Also here:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/id-views.html
note that ID Views are not confined just to AD trust environments this
second doc is just to have a wider view of the feature.
HTH,
Simo.
--
Simo Sorce * Red
I'm thinking, asking, is - what would be the correct
> possible way to plug in, connect IPA domain to win AD when one has
> admin control only over a OU in win AD?
Not sure you can even do sync, there isn't really much you can do with
those privileges, you are basically just allowed to administ
work for MIT Kerberos
>or does it also work for Heimdal?
>
>
> Thank you,
> Stefan Zecevic
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info
ll create a trust between 2 different forests, it's just so
happen that one of them will be in a DNS subdomain.
For this to work, no other windows machine may have used the
ipa.activedir.local domain before.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
Manage your subscription for the Freeip
On Wed, 2016-05-04 at 16:16 +0200, Martin Kosek wrote:
> On 05/03/2016 08:20 AM, Rakesh Rajasekharan wrote:
> > Hi,
> >
> > I am running a freeipa server 4.2.x.
> >
> > I have the following password global password policy set to force a history
> > of 3
> >
> > ipa pwpolicy-mod global_policy
ould be greatly appreciated! I have not found a "Who uses
> FreeIPA" page on the Internet.
>
> Best regards,
> --
> Alexandre de Verteuil <alexan...@deverteuil.net>
> public key ID : 0xDD237C00
> http://alexandre.deverteuil.net/
>
--
Simo Sorce
t split in certain ways
Thanks Timo, this is awesome!
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
>
> >
> > So, sorry, I cannot edit the contribute to the wiki. I will write
> > something down in my own wiki and post the link here, search engines
> > will index this mailing list posts as well, so this knowledge will not
> > go lost.
>
> It's not just you. I can't log
on fails. Error message
> >> is
> >> like "Pre-authentication information was invalid (24) - PREAUTH_FAILED".
> >>
> >> Any pointers on how to make OTP work?
> >>
> > http://www.freeipa.org/page/V4/OTP
> > http://www.freeipa.org/page/V4/OTP/Deta
> Alessandro
>
> On 29 February 2016 at 05:44, Simo Sorce <s...@redhat.com> wrote:
>
> > On Mon, 2016-02-29 at 00:11 +, Alessandro De Maria wrote:
> > > Solved.
> > > This turned out to be the ipa-otp process stuck on one of the 2 servers.
> > &
t; Could someone help me understand what is going on?
> >
> > Regards
> > Alessandro
> >
> >
> > --
> > Alessandro De Maria
> > alessandro.dema...@gmail.com
> >
>
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
&
uot; which
> may be overridden elsewhere if ChallengeResponseAuthentication is set to yes
>
> Terry
>
> -Original Message-
> From: Simo Sorce [mailto:s...@redhat.com]
> Sent: 25 February 2016 15:01
> To: Terry John
> Cc: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] 14
, Manheim Direct, Manheim De-fleet and Manheim
> Aftersales Solutions.
>
> V:0CF72C13B2AC
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the pro
while getting initial
> credentials"
>
>
>
> How to work around this issue ?
I think this is something that can only be analyzed and fixed by Solaris
support channels. A segfault is a bug in the client.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
Manage your su
Doesn't look related to mod_auth_gssapi, it's past it.
- Original Message -
> From: "Martin Kosek" <mko...@redhat.com>
> To: "David Zabner" <da...@cazena.com>, freeipa-users@redhat.com, "Simo Sorce"
> <sso...@redhat.com>
&g
ner" <da...@cazena.com>
> To: "Simo Sorce" <s...@redhat.com>
> Cc: "Martin Kosek" <mko...@redhat.com>, freeipa-users@redhat.com
> Sent: Thursday, January 28, 2016 10:18:06 AM
> Subject: Re: [Freeipa-users] Client-Install failures
>
> Any g
site.
Can you explain what you mean by "migrate to the following separate
components" ? And why you want to do so ?
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
FreeIPA uses is coupled with about two
> > >> dozen additional plugins. These plugins either don't exist for OpenLDAP
> > >> at all or have different behavior and rely on different LDAP schema.
> > >>
> > >> In short, if you move the data from
olla to a set of
loose parts (including and engine from Mercedes and the chassis of an
Honda) that our mechanic can put together ?
Simo.
> Best regards.
>
> Bahan
>
> On Wed, Jan 13, 2016 at 2:58 PM, Simo Sorce <s...@redhat.com> wrote:
>
> > On Wed, 2016-01-1
s", also Access
control, delegation, etc... the feature list is huge.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
>
> > --
> > / Alexander Bokovoy
> >
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
--
Simo Sorce * Red Hat, Inc * New York
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
ably easier
to just regenerate all keys and upload the new public keys on the glue
record of the delegating provider.
Simo.
> Then I have to wait after the holidays to UPDATE the DS Record on my ISP :-(.
>
> Thanks for a answer,
>
> --
> mit freundlichen Grüßen / best regards,
>
no need to have a CA on every ipa server, so a CA is not
installed by default.
You can pass --setup-ca at install time or you can use ipa-ca-install
later on.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mai
ve changed the way replicas are created, at domain level
1, it may be a good RFE to ask to make it possible to install w/o CA by
generating a self signed cert for HTTP only.
Simo.
> On Mon, Dec 28, 2015 at 7:11 PM, Simo Sorce <s...@redhat.com> wrote:
>
> > On Mon, 2015-12-28 at 13:
pubconf and
krb5 libraries read from it, however kinit cannot force sssd to
re-evaluate if the file needs updating.
If you do a local login instead of a kinit, you will see that SSSD will
switch to the new server and subsequent kinit will start using it.
This is tracked here:
https://fedorahosted.org/s
; respond, but I can not find how to do it.
> Is this happening automagically ?
Yes, if you use ipa-client-install and do not force to use a specific
server.
> Or this is not the way it is supposed to be used ?
This is what replicas are for, redundancy, and load sharing.
Simo.
--
Simo Sor
eipa.
>
> Should I just create a normal user account, set the password and mail
> and disable logins?
There are a few ways to go about it.
another way is to use a custom subtree + schema to store these emails
only.
It really depends on what kind of tools you want to use to manage the
infor
t; running the ipa client install to join the domain.
>
> > Would you mind filing a ticket? I think this should be fixed.
>
> Done - https://fedorahosted.org/freeipa/ticket/5518
Thanks!
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
Manage your subscription for the Fr
ow if these options are generated by the installer or are those
the ones included with the sssd generated file ?
Would you mind filing a ticket? I think this should be fixed.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
Manage your subscription for the Freeipa-users mailing list:
https://www.re
t; > > - is there a more suitable way to obtain the above delegation and
> > security
> > > context switching using other mechanisms supported by IPA?
> > >
> > > Thanks in advance
> > > Stefano
FWIW a better way to solve this would be to use constrained
rsonate(KerberosDemo.java:121)
> at test24u2.KerberosDemo.generateToken(KerberosDemo.java:179)
> at test24u2.KerberosDemo.main(KerberosDemo.java:215)
> Caused by: KrbException: S4U2self ticket must be FORWARDABLE
> at
> sun.security.krb5.internal.CredentialsUtil.acquireS4U2selfCreds(Cre
I think they key part is setting the +ok_to_auth_as_delegate flag which
we do not provide an official higher level interface for yet.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
s works with ipa-web.
> Thanks
>
> Marc Boorshtein
> CTO Tremolo Security
> marc.boorsht...@tremolosecurity.com
> (703) 828-4902
>
>
> On Tue, Dec 1, 2015 at 12:42 PM, Simo Sorce <s...@redhat.com> wrote:
> > On Tue, 2015-12-01 at 11:55 -0500, Marc Boorsh
On Tue, 2015-12-01 at 12:57 +0100, Martin Kosek wrote:
> On 11/30/2015 02:25 PM, Gašper Bregar wrote:
> > I have been strugling with FreeIPA and AD password sync for a couple of
> > days now. At first everything was working fine, but then all of a sudden
> > the synchronization started to fail for
d then just use the getpwnam interface.
Simo.
> I currently have
>
> bug here:
> https://www.redhat.com/archives/freeipa-users/2014-June/msg00163.html
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-use
rom: 2015-11-18 02:17:44 (UTC)
> till: 2015-11-18 10:17:44 (UTC)
> nonce: 604310537
> etype: 1 item
> ENCTYPE: eTYPE-AES128-CTS-HMAC-SHA1-96 (17)
>
>
> Is there a field missing?
CCing Andreas as this one sounds like a bug w
up.
Simo.
> IPA 4.1 on CentOS7
>
> Thanks
> Marc Boorshtein
> CTO Tremolo Security
> marc.boorsht...@tremolosecurity.com
>
>
>
> On Mon, Nov 23, 2015 at 10:38 AM, Simo Sorce <s...@redhat.com> wrote:
> > On Tue, 2015-11-17 at 21:36 -0500, Marc Boorshte
he fallback was made to allow a client to
work against an older server not to work "around" permission issues.
The idea is to actually change the default permissions soon(*) so that
the *old* interface stops working by default and the admin has to enable
it intentionally in cn=etc c
On 10/11/15 11:54, Gronde, Christopher (Contractor) wrote:
# ldapsearch -x -D 'cn=Directory Manager' -W -b cn=mapping,cn=sasl,cn=config
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base
r ',' ' ' > /my/authorization/file
And in apache have set the following directives instead of the above two:
AuthGroupFile /my/authorization/file
Require group git-users
HTH,
Simo
--
Simo Sorce * Red Hat, Inc * New York
--
Manage your subscription for the Freeipa-users mailing list:
https://www.
options back in the
response I'd be in business? Any thoughts?
Thanks
Marc Boorshtein
CTO Tremolo Security
marc.boorsht...@tremolosecurity.com
(703) 828-4902
--
Simo Sorce * Red Hat, Inc * New York
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman
e the specification was born.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
used ;-)
> >
> > Hopefully this makes it clear.
>
> Ok, that's what I thought, didn't want to assume. It is my understanding
> that nss returns the first match it finds, in this case the system-local
> wheel group. There is no merging in SSSD AFAIK.
FYI: we are working on this problem:
https://sourceware.org/glibc/wiki/Proposals/GroupMerging
Stephen has patches for glibc, not sure what is th status of the submission yet
though.
Simo.
--
Simo Sorce * Red Hat, Inc. * New York
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
ation mode and the server they
log in is configured with SSSD.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
G:
jsonserver_session: 401 Unauthorized need login
Any ideas? The webUI will normally need to be used by people on systems
that are not managed by FreeIPA (this is meant to manage our server
infrastructure, not our workstations), but as far as I can tell
username/password auth should work?
on the
files wdadeploy creates.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
he RUV was not properly cleaned
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
On 02/10/15 04:06, Alexander Bokovoy wrote:
On Thu, 01 Oct 2015, Simo Sorce wrote:
On 01/10/15 03:15, Petr Spacek wrote:
On 30.9.2015 20:36, Matt Wells wrote:
Hi all, I hoped I may glean some brilliance from the group.
I have a Freeipa Server sitting atop a Fedora 21 server. The
initial plan
subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
--
/ Alexander Bokovoy
--
Simo Sorce * Red Hat, Inc * New York
--
Manage your subscription for the Freeipa-users mailing list:
https://ww
as to why I posted the original ask?
When SSSD is integrated directly in AD you can use Group Policies to
define access controls. See ad_gpo_access_control in sssd-ad(5)
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
Manage your subscription for the Freeipa-users mailing list:
https
ble to see user names, but only SIDs for IPA users.
Some tools that may depend on SID->Name translation may also fail in
unexpected ways.
This is why we do not recommend to try this, but it is technically
possible if you know very well how to handle everything through Windows
CLIs (I don't so do
to share
the same DNS namespace).
HTH,
Simo.
http://www.freeipa.org/page/Howto/Migration#Migrating_from_other_FreeIPA_to_FreeIPA
Lenka was already investigating https://fedorahosted.org/freeipa/ticket/3656,
so some updates may happen.
--
Simo Sorce * Red Hat, Inc * New York
--
Manage your
from using
UDP completely, although I am not 100% certain this will avoid the
problem, IIRC at least in some versions the client library would retry
after 1 second even on TCP.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
Manage your subscription for the Freeipa-users mailing list:
https
ing
PTR records ?
There is a global DNS option (As awell as per-zone setting) called
"Allow PTR Sync" you may want to enable.
--
Simo Sorce * Red Hat, Inc * New York
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://
e-hkvm-ctrl
> > -01.core.nice.cloud.oliv
> > arim@cloud.olivarim.com (aes256-cts-hmac-sha1-96)
> >3 30/08/2015 15:50:36 libvirt/nice-hkvm-ctrl
> > -01.core.nice.cloud.oliv
> > arim@cloud.olivarim.com (aes128-cts-hmac-sha1-96)
> >3 30/08/2015 15:50:36 lib
tried restarting DS before trying to clean the ruv ?
I run in a similar problem in a test install recently, and I got better
results that way. The bug is known to the DS people and they are working
to get out patches that fix the root issue.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
that prevents you from
GSSAPI-updating PTR records (over AD trust) so going with manual PTR
records would work.
You need to make sure AD has no policy to periodically remove PTR
records for Linux machines.
--
/ Alexander Bokovoy
--
Simo Sorce * Red Hat, Inc * New York
--
Manage your
are specifying the umask is incorrect :-)
Hint: see oddjob-mkhomedir.conf
HTH,
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info
...@gmail.com | Web: www.initd.in
http://www.initd.in/ *
*RHCE, VCE-CIA, RACKSPACE CLOUD U Certified*
https://www.fb.com/yks http://in.linkedin.com/in/yks
https://twitter.com/checkwithyogesh
http://google.com/+YogeshSharmaOnGooglePlus
--
Simo Sorce * Red Hat, Inc * New
freundlichen Grüssen / best regards,
Günther J. Niederwimmer
Hi,
IPA CA certificate is located here /etc/ipa/ca.crt on server
It is also available from http[s]://ipa.server.name/ipa/config/ca.crt
HTH,
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
Manage your subscription
On Tue, 2015-08-18 at 18:01 -0400, Simo Sorce wrote:
The load balancer would have to have the exact same name (for the
clients) as the IPA server, which may be challenging depending on the
network configuration you have.
More on that issue here:
http://ssimo.org/blog/id_019.html
On Tue, 2015
the problem of the referer, but should be easy to fix
with a rewrite rule.
Simo.
~J
On 8/18/15 3:02 PM, Simo Sorce wrote:
On Tue, 2015-08-18 at 18:01 -0400, Simo Sorce wrote:
The load balancer would have to have the exact same name (for the
clients) as the IPA server, which may
on the front end. (this is for web only, not the LDAP or
Kerberos)
Thank you
~J
You could try disabling the rewrite rules to do this in
/etc/httpd/conf.d/ipa-rewrite.conf.
rob
--
Simo Sorce * Red Hat, Inc * New York
--
Manage your subscription for the Freeipa-users
component that implements the
secure storage for the Vault feature.
HTH,
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
/default.conf could not be removed: [Errno 2] No such
file or directory: '/etc/ipa/default.conf'Please remove /etc/ipa/default.conf
manually, as it can cause subsequent installation to fail.Client uninstall
complete.
--
Simo Sorce * Red Hat, Inc * New York
--
Manage your subscription
1 - 100 of 707 matches
Mail list logo