-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Due to popular request, I am offering a completely unofficial and
unsupported repository of the latest 1.9.x LTM bits for RHEL 5 and
derivatives. The latest official version supported by the distribution
is 1.5.x.
These packages are built from the
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 03/21/2013 09:04 AM, Jan-Frode Myklebust wrote:
Serverdefault has a hack for supporting nested groups on
RHEL5/apache-2.2 involving a ldap filter using
LDAP_MATCHING_RULE_IN_CHAIN on Active Directory, ref:
http://serverfault.com/a/424706
On 12/28/2012 10:23 AM, Michael B. Trausch wrote:
On 12/28/2012 08:56 AM, Simo Sorce wrote:
However re-reading the ticket made me wonder. Is this happening on the
F18 machine or on the Centos 6.3 machine ?
The sigsegv is happening on the Fedora 18 box, the one running FreeIPA
3.1.0.
I am
On Fri 16 Nov 2012 08:56:59 AM EST, Natxo Asenjo wrote:
On Fri, Nov 16, 2012 at 2:52 PM, Natxo Asenjo natxo.ase...@gmail.com wrote:
hi,
when running getent negroup netgroupname I get old entries.
Apparently sssd is being helpful :-) and caching info, but it should
not do it when I am connected
On Wed 31 Oct 2012 08:56:14 AM EDT, Bret Wortman wrote:
Has anyone set things up so that individual users have the option to
automount a homedir or have one autocreated on each system they use
for them? I have some users who prefer one way and others who prefer
the other. Both have valid reasons
On Tue, 2012-08-28 at 17:21 -0400, Rob Crittenden wrote:
Michael Mercier wrote:
On 2012-08-22, at 4:12 PM, Rob Crittenden wrote:
Michael Mercier wrote:
Hello,
In Aug 2010, someone posted a message to this list about integrating
tacacs+ with freeipa
On Fri, 2012-08-17 at 11:42 +0200, Jakub Hrozek wrote:
On Thu, Aug 16, 2012 at 09:00:23PM +, Steven Jones wrote:
Hi,
What is the default length of time the sssd daemon on a client caches for
once IPA is off line pls?
If the IPA provider is offline, we never remove anything
On Fri, 2012-08-17 at 13:42 -0500, Anthony Messina wrote:
On Monday, July 23, 2012 04:08:25 AM Anthony Messina wrote:
I have installed freeipa-server-2.2.0-1.fc17.x86_64 and it's running
well. I have also installed rkhunter-1.4.0-1.fc17.noarch on the IPA
server and each morning I receive
On Thu, 2012-07-19 at 00:53 +, Steven Jones wrote:
Actually its pamunless IPA is as well.
Which makes sense then to have an application run 500 so inherently it
cannot be logged into via ssh
Well, it's possible to configure your system to allow logging in to
users below 500,
On Thu, 2012-07-19 at 00:02 +, Steven Jones wrote:
Hi,
Is there a rule or something that makes users with a UID of less than
500 not work?
Yes, on Red Hat and older Fedora systems, UIDs below 500 are reserved
for system services such as the apache user.
On newer Fedora systems (and
On Thu, 2012-07-19 at 00:39 +, Steven Jones wrote:
Hi,
I want to create a user that users who can login to a host can sudo -i
tobut I dont want to allow that user ssh or login but must exist on the
server such that the sudo -i command will succeed.
I cannot see how this is
On Tue, 2012-06-26 at 15:02 +0200, Natxo Asenjo wrote:
hi,
recently it was brought to my attendtion that isp-dhcpd version 4.2
supports getting its database information from ldap. Earlier versions
support it as well with a patch.
It would be awesome if this could be integrated in IPA.
On Sun, 2012-06-24 at 15:10 -0700, Joe Linoff wrote:
Hi Mark:
I did not find any entries related to passwords in the LDAP record.
There were some entries that looked as though they were related to
Kerberos which might be useful.
% ldapseach -LLL -x -b
On Mon, 2012-06-25 at 09:52 -0700, george he wrote:
Hello,
I have a server and a few client set up. I can ssh to the server or
clients. But there's no entry on the console gdm for ipa user, and I
cannot login by choosing others either.
What do I need to set up for gdm log on? I searched the
On Mon, 2012-06-25 at 10:25 -0700, george he wrote:
Hello Stephen,
this is what in the log file:
Jun 25 13:22:10 mz gdm-password][21545]: pam_unix(gdm-password:auth):
authentication failure; logname=(unknown) uid=0 euid=0 tty=:0 ruser=
rhost= user=jhe
Jun 25 13:22:11 mz
On Mon, 2012-06-25 at 10:41 -0700, george he wrote:
Hi Stephen,
I already have a home directory which was created the first time I ssh
in.
Now when I click on sign in, nothing happens...
Just to experiment, try 'setenforce 0' as root and then try to log in.
SELinux could be denying you.
On Mon, 2012-06-25 at 10:55 -0700, george he wrote:
Hi Stephen,
selinux was set to permissive before I installed the client. ( I
modified the file /etc/sysconfig/selinex)
Modifying that file without a reboot does not change the current state.
That only tells the kernel whether to boot with
On Mon, 2012-06-25 at 15:39 -0400, Dmitri Pal wrote:
On 06/25/2012 02:36 PM, Simo Sorce wrote:
On Mon, 2012-06-25 at 13:51 -0400, Dmitri Pal wrote:
Simo are you sure simple bind is enough? I thought that it should be a
bind over SSL with some specific ext op. Do I recall it wrong?
A bind
On Fri, 2012-06-15 at 15:19 +0200, Sigbjorn Lie wrote:
Hi,
I've seen cron jobs on some of our machines not being run after they we're
migrated to IPA. The
machines in question has not been restarted after they we're migrated from
NIS to IPA.
These are RHEL 6 machines. The users that
On Mon, 2012-06-11 at 12:25 -0400, Dmitri Pal wrote:
On 06/09/2012 06:24 AM, Joe Linoff wrote:
Hi:
I read somewhere that I should turn off the NetworkManager service
on the IPA server. Should I do same on the clients?
...
There was a problem with earlier versions which now is
On Wed, 2012-06-06 at 06:59 -0700, Joe Linoff wrote:
Hi Folks:
I am a newbie so I apologize in advance if this is a silly set of
questions. I am using FreeIPA 2.1.3 on CentOS 6.2 and am very happy
with it but I have a couple of questions about root access. When I
setup my systems, I
On Mon, 2012-06-04 at 08:39 +0200, Martin Kosek wrote:
On Sat, 2012-06-02 at 06:52 -0700, Joe Linoff wrote:
Hi:
I am a newbie that is trying out FreeIPA for the first time. So far I
am extremely impressed with this system but I ran into a problem that
I need some help with. I am
For quite some time, we have used the sssd-devel mailing list for
development and user configuration issue discussions. As the project has
grown, it becomes more and more clear that we need to separate these
topics into their own lists.
So as of today, we now have a new mailing list for user
On Fri, 2012-05-11 at 13:16 +0200, pasqual milvaques wrote:
root : DEBUG Init ldap with: ldap://freeipaserver.linux.gva.es:389
root : ERROR LDAP Error: Connect error: A TLS packet with unexpected
length was received.
Failed to verify that freeipaserver.linux.gva.es is an IPA Server.
This
On Thu, 2012-05-10 at 00:24 +, Steven Jones wrote:
Hi,
In case everyone else is asleep now..
Do you have access to RH documentation? the 6.3beta admin guide
section 18.8 talks about why and how to make a replicate a master.
The problem seems to be that David had only a single
On Mon, 2012-04-30 at 22:14 +, Steven Jones wrote:
Hi,
Do you want me to open a RH case?
Yes, that's probably best. Please include as much detail as possible,
such as your sssd.conf and, ideally, a sanitized sssd_DOMAINNAME.log at
level 6 or higher.
signature.asc
Description: This is
On Mon, 2012-04-30 at 14:51 -0700, David Copperfield wrote:
Hi folks,
During migration existing Kerberos/LDAP setup clients to IPA, after
'ipa-client-install' command is run and reports successful migration,
we found that the client fails to talk with IPA server.
The symptom is: in
On Tue, 2012-05-01 at 20:41 +, Steven Jones wrote:
Which sssd.conf's?
On the clients that you cannot log into.
signature.asc
Description: This is a digitally signed message part
___
Freeipa-users mailing list
Freeipa-users@redhat.com
On Sun, 2012-04-29 at 23:37 +, Steven Jones wrote:
Hi,
Maybe I am missing something here but I thought/assumed that if one of
teh IPA servers was off line the client would use the other IPA
server?
This doesnt seem to be the case, so am I wrong on how IPA works, or do
I have a setup
The existing document states all the steps as listed below.
A user tries to log into a machine with SSSD.
SSSD attempts to perform Kerberos authentication against the
IPA server.
Even though the user exists in the system, the authentication
will
On Thu, 2012-04-26 at 19:58 -0700, David Copperfield wrote:
Hi,
Just have a silly case where I've to download the existing version
keytab for a service principal. It is download only -- not recreate a
new version and download the new version which ipa-getkeytab does. --
ipa-getkeytab
On Thu, 2012-03-08 at 20:14 +, Steven Jones wrote:
Hi,
I am setting up some IPA users what I have noticed is if I or they type
startx to start a gui locking the .Xauthority fails, if I setenforce 0
then it works fine.I have never seen this behaviour before and
googling suggests its
On Fri, 2012-03-02 at 05:16 +0300, Craig T wrote:
Hi,
Server Side:
RHEL6.2
ipa-admintools-2.1.3-9.el6.x86_64
ipa-client-2.1.3-9.el6.x86_64
ipa-pki-ca-theme-9.0.3-7.el6.noarch
ipa-pki-common-theme-9.0.3-7.el6.noarch
ipa-python-2.1.3-9.el6.x86_64
ipa-server-2.1.3-9.el6.x86_64
On Fri, 2012-03-02 at 14:52 +0100, Sigbjorn Lie wrote:
Hi,
I'm experiencing that SSSD is now crashing at random times on _ALL_ RHEL 6.2
machines where we
have installed SSSD connected to an IPA domain. SSSD can reach up to a month
of uptime before
sssd_be crashes. This happens on both
On Fri, 2012-03-02 at 15:08 +0100, Sigbjorn Lie wrote:
On Fri, March 2, 2012 15:04, Stephen Gallagher wrote:
On Fri, 2012-03-02 at 14:52 +0100, Sigbjorn Lie wrote:
Hi,
I'm experiencing that SSSD is now crashing at random times on _ALL_ RHEL
6.2 machines where we
have installed
On Wed, 2012-02-29 at 11:24 -0500, Kelvin Edmison wrote:
Hi all,
I am running into an issue where users cannot access a samba volume if
their only access is via a secondary group. For example, if testuser's
primary group is ipausers, and secondary groups include testgroup, and the
samba
On Wed, 2012-02-29 at 13:49 -0500, Kelvin Edmison wrote:
On 12-02-29 1:40 PM, Stephen Gallagher sgall...@redhat.com wrote:
On Wed, 2012-02-29 at 11:24 -0500, Kelvin Edmison wrote:
Hi all,
I am running into an issue where users cannot access a samba volume if
their only access
On Mon, 2012-02-27 at 22:05 -0800, Brian Cook wrote:
example
[root@ipasvr yum.repos.d]# yum list freeipa-server
Loaded plugins: langpacks, presto, refresh-packagekit
Available Packages
freeipa-server.i686
2.1.4-1.20120209T0216Zgit11c25a4.fc16 ipa-devel
On Fri, 2012-02-10 at 10:50 +0100, Marco Pizzoli wrote:
Hi,
On Mon, Jan 30, 2012 at 4:55 PM, Dmitri Pal d...@redhat.com wrote:
On 01/30/2012 09:47 AM, Marco Pizzoli wrote:
Hi guys,
Next days I'm going to start a test deployment of FreeIPA
2.1 but the
On Fri, 2012-02-10 at 16:18 -0500, John Dennis wrote:
On 02/10/2012 03:49 PM, Marco Pizzoli wrote:
-- Finished Dependency Resolution
*Error: Protected multilib versions: libldb-1.1.0-1.fc16.i686 !=
libldb-1.1.4-1.fc16.1.x86_64*
This error is because you've got both a 32-bit and 64-bit
On Thu, 2012-02-02 at 10:44 -0500, Dmitri Pal wrote:
On 02/02/2012 09:59 AM, Nigel Sollars wrote:
Hi All,
I notice online people have already asked about Clients for other
linux distributions, my addition to this is how far ( if any )
along is the effort?. Is there an svn / git
On Wed, 2012-02-01 at 11:02 +0100, Sigbjorn Lie wrote:
Hi,
Is this more like the expected output? :)
No, I'm afraid it's not. That's a log of a legitimate shutdown, not a
segmentation fault. (Receiving SIGTERM means that the monitor told the
process to exit).
Possibly this happened if the
On Tue, 2012-01-31 at 10:22 +0100, Ondrej Valousek wrote:
Hey sounds good to me, just glad it is working for you :). The only
other question/suggestion I have is that it looks like you aren't
leveraging kerberos in your configuration for SSO, You might want to
think about doing this
On Tue, 2012-01-31 at 13:35 +0100, Sigbjorn Lie wrote:
Ok, please see below for the output from gdb.
I notice that it's not happening every time. All this morning I could unlock
without any issues.
Around lunchtime the issue started occouring again, but it's different each
time how
On Tue, 2012-01-31 at 21:03 +, Dale Macartney wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi Simo
I have used oddjob in the past and it works a treat, however this was
with ipa-client-install..
I was just dappling around with the script over diner and saw you were
an
On Mon, 2012-01-30 at 16:01 +0100, Sigbjorn Lie wrote:
Hi,
I'm doing a pre-implementation project for a customer having RHEL 5.7
workstations with KDE as
their windows manager.
When using KDE at a RHEL 5.7 (or 5.8 BETA) workstation connected to a IPA
2.1.3 running at RHEL
6.2 server,
On Mon, 2012-01-30 at 18:00 +0100, Sigbjorn Lie wrote:
Sure. Ive left the office for today, will do so tomorrow.
Im not very familiar with gdb. Any particular syntax / switches to
add?
Rgds,
Siggi.
You'll want to do this in a non-graphical terminal, so you can switch to
it if KDE gets
On Fri, 2012-01-27 at 15:11 +0100, Sigbjorn Lie wrote:
Hi
The first naming context returned from the LDAP server is always chosen
when using migrate-ds. This makes my import fail when I attempt to
import users and groups from a previous LDAP server having more than 1
naming contexts
On Fri, 2012-01-27 at 10:36 -0500, Dan Scott wrote:
Hi,
I have a Fedora 16 client running sssd-client-1.6.4-1.fc16.x86_64.
When I run, e.g. id djscott, I do not get the names of the groups:
-bash-4.2$ id djscott
uid=768(djscott) gid=1002(legacy-group)
On Fri, 2012-01-27 at 17:57 +0100, Jakub Hrozek wrote:
On Fri, Jan 27, 2012 at 11:47:01AM -0500, Dan Scott wrote:
Hi,
On Fri, Jan 27, 2012 at 10:48, Stephen Gallagher sgall...@redhat.com
wrote:
On Fri, 2012-01-27 at 10:36 -0500, Dan Scott wrote:
Hi,
I have a Fedora 16 client
On Fri, 2012-01-27 at 13:42 -0500, Rob Crittenden wrote:
This came up yesterday internally too. I don't believe a bug or ticket
has been filed yet.
My best guess on what is happening, based on what I saw with our own
case, is this:
A migrated attribute is coming in that IPA doesn't
On Tue, 2012-01-24 at 20:11 -0600, ~Stack~ wrote:
You can manage to have machines still fetch data from IPA, but they
can't be full fledged clients if you can't preserve the keytab and some
other configuration.
As long as I can have a user log into the box and run a process, I don't
On Fri, 2012-01-20 at 17:35 +0100, Sigbjorn Lie wrote:
On 01/19/2012 04:33 PM, Stephen Gallagher wrote:
On Thu, 2012-01-19 at 14:06 +, Charlie Derwent wrote:
https://fedorahosted.org/freeipa/ticket/22827
For the record, the correct link is
https://fedorahosted.org/freeipa/ticket/2282
On Thu, 2012-01-19 at 13:18 +, Charlie Derwent wrote:
Thanks for the advice Stephen (and the quick response), obviously that
won't help with load balanced comms during the installation process
but it should keep it to a minimum afterwards.
Wouldn't a quick solution be the addition of a
On Thu, 2012-01-19 at 14:06 +, Charlie Derwent wrote:
https://fedorahosted.org/freeipa/ticket/22827
For the record, the correct link is
https://fedorahosted.org/freeipa/ticket/2282
signature.asc
Description: This is a digitally signed message part
On Wed, 2012-01-11 at 12:56 -0500, Dmitri Pal wrote:
On 01/10/2012 02:31 PM, Stephen Gallagher wrote:
It's come up more than once that SSSD needs a Frequently Asked Questions
page to field some of our more common questions. I'm reaching out to the
SSSD and FreeIPA user and developer
It's come up more than once that SSSD needs a Frequently Asked Questions
page to field some of our more common questions. I'm reaching out to the
SSSD and FreeIPA user and developer communities to help us flesh out
this page.
I've begun it with the two most common questions I've received lately,
On Thu, 2012-01-05 at 11:35 -0900, Erinn Looney-Triggs wrote:
I am trying to solve an issue that seems like it should be obvious but
is not, to me at least.
I am trying to allow a user to log into a single host, via GDM. I have
configured a HBAC rule that allows access to the host from the
On Jan 5, 2012, at 5:48 PM, Erinn Looney-Triggs erinn.looneytri...@gmail.com
wrote:
On 01/05/2012 11:54 AM, Stephen Gallagher wrote:
On Thu, 2012-01-05 at 11:48 -0900, Erinn Looney-Triggs wrote:
Yes that look about right, not able to confirm 100%, but that is
probably the issue.
We're
On Tue, 2011-12-20 at 12:59 -0900, Erinn Looney-Triggs wrote:
I have been working through configuring sudo via IPA and ran into the
following situation.
There is a directive in the documentation to configure
/etc/sssd/sssd.conf on the clients with something like the following:
On Wed, 2011-12-21 at 09:08 -0900, Erinn Looney-Triggs wrote:
On 12/21/2011 04:37 AM, Stephen Gallagher wrote:
On Tue, 2011-12-20 at 12:59 -0900, Erinn Looney-Triggs wrote:
I have been working through configuring sudo via IPA and ran into the
following situation
When we originally designed SSSD, we looked at it as a solution for
dealing with LDAP and Kerberos identity and authentication for Linux and
UNIX clients. With our initial approach, we decided to include only
marginal support for Microsoft's Active Directory as a source of user
information (only
On Fri, 2011-12-02 at 15:59 +0100, Ondrej Valousek wrote:
Small update so I am not only throwing dirt on winbind:
Winbind has still its use if you can not use / do not have RFC2307
attributes in AD.
So simply, if you want to use RFC2307 attributes, sssd is here for
you. If not, go for
On Thu, 2011-12-01 at 13:46 +0100, Jakub Hrozek wrote:
On Wed, Nov 30, 2011 at 01:18:46PM +0200, Lassi Pölönen wrote:
Hi,
I'm looking for implementing FreeIPA in an environment where there are
multiple customers in multiple organizations and a single organization
that manages the
On Tue, 2011-11-15 at 16:51 -0500, Boris Epstein wrote:
Just tried to install sssd from the above repo.
There's only packages for the old 10.04 lucid
On Sun, 2011-11-13 at 19:19 +0100, Sigbjorn Lie wrote:
On 11/13/2011 02:48 PM, Simo Sorce wrote:
On Sat, 2011-11-12 at 15:55 +0100, Sigbjorn Lie wrote:
Hi,
I notice that when sssd is configured to update DNS, it's only updating
the DNS forward zone, it's not updating the DNS reverse
On Thu, 2011-11-10 at 23:08 +0100, Sigbjorn Lie wrote:
Hi,
I just installed Fedora 16 and noticed that there now was an option for
using FreeIPA as autentication database. Awesome!
But why the normal ldap/kerberos options that met me when I chose
FreeIPA (see the attachment). I was
On Wed, 2011-11-09 at 12:50 -0500, Boris Epstein wrote:
Hello all,
I am an absolute beginner here... So... I have a machine that only has
512 MB of RAM which is too small to house Fedora. So that machine is
running CentOS 5.6. And now I want to install FreeIPA on it. Has
anybody done it? If
On Wed, 2011-11-09 at 13:46 -0500, Boris Epstein wrote:
On Wed, Nov 9, 2011 at 1:39 PM, Stephen Gallagher sgall...@redhat.com wrote:
On Wed, 2011-11-09 at 12:50 -0500, Boris Epstein wrote:
Hello all,
I am an absolute beginner here... So... I have a machine that only has
512 MB of RAM
On Fri, 2011-11-04 at 17:12 -0400, Dan Scott wrote:
Hi,
I've just migrated a couple of servers from FreeIPA 1.2 to 2.1. I'm
almost done. I just have a few custom LDAP searches to migrate.
With the old system, I was trying to look users who are in a
particular group by their email address
On Tue, 2011-10-18 at 16:52 +0100, duncan.in...@virginmoney.com wrote:
Just as a pointer here - It would be good if there was ubiquitous
support amongst the browsers. I understand the whole concept behind
we test what we ship with, but we're no longer talking about huge
differences between
On Tue, 2011-10-04 at 09:32 +0200, Ondrej Valousek wrote:
I have ~50 servers and yes, we are using Centrify now - and yes, it is
pain in the ass (need to take care of the licenses).
But I have found out recently that sssd can do much of the Centrify's
duty (authorization authentication) -
On Tue, 2011-10-04 at 14:53 +0200, Ondrej Valousek wrote:
Well, small things like sssd can not renew machine credentials /
As Jan said, this is being looked into.
sssd can not detect local site automatically in AD domain (no DC
locator implemented) /
Can you provide more information here?
On Mon, 2011-10-03 at 10:03 +0200, Ondrej Valousek wrote:
Just wondering why would anyone want to sync freeIPA and AD - both can
serve Linux systems fine, so if I already have AD, I no longer require
IPA.
My 2 cents...
AD can serve Linux systems with a very limited definition of fine. All
On Fri, 2011-09-23 at 13:38 -0400, Dan Scott wrote:
Hi,
I've recently upgraded from FreeIPA 1.2 to 2.1. Most things are
working OK, but I have a few problems:
1. I'm unable to login to a new client machine via GDM with my
existing credentials. i.e. I can login on the command line and my
On Tue, 2011-09-20 at 09:59 -0400, Dmitri Pal wrote:
3) After importing users use SSSD in migration mode (special setting in
SSSD config). In this case for any user without kerberos hash who would
log via SSSD the SSSD would connect IPA in a special way and trigger the
Kerberos hash
On Fri, 2011-09-16 at 14:01 -0400, Simo Sorce wrote:
There is some work being done to make ipa-client -install more cross
platforms, and we also have some contrib scripts, but we do not have a
complete ipa-client-install script for debian based distributions yet.
So you'll have to manually (or
On Tue, 2011-09-06 at 20:58 +0200, Sigbjorn Lie wrote:
On 09/06/2011 08:37 PM, Stephen Gallagher wrote:
On Tue, 2011-09-06 at 20:04 +0200, Sigbjorn Lie wrote:
Hi,
I attempt a login with a user account that's being denied access to the
host via HBAC, I receive the following generic error
On Wed, 2011-08-03 at 10:14 -0400, Ian Stokes-Rees wrote:
On 8/3/11 4:47 AM, Ondrej Valousek wrote:
Maybe stupid question, but I have to ask:
Why would anyone want to store user RSA keys in LDAP? Once you have
IPA server with KDC installed, you can use Kerberos for
authentication as
On Wed, 2011-08-03 at 12:21 -0400, Ian Stokes-Rees wrote:
On Wed Aug 3 10:37:45 2011, Stephen Gallagher wrote:
As a general rule, I would think that having your private key stored
somewhere that an admin other than yourself can reset the password and
have access to would be really
On Wed, 2011-08-03 at 14:02 -0400, Ian Stokes-Rees wrote:
On 8/3/11 1:46 PM, Stephen Gallagher wrote:
Well, there exist central storage approaches that don't allow even
the local admin access to the data. The trade-off of course is that
they can't reinstate your access if you forget
On Thu, 2011-07-07 at 23:50 +, Steven Jones wrote:
8.
I thought there was a better alternative to authconfig-tui...
6
I normally type setup, which gives you a splash popup that takes you to
the auth config tool, but that dies silently.doing authconfig-tui
shows you
We discussed today on the FreeIPA status meeting the possibility of
dropping support for DENY rules from the HBAC specification. I'm
submitting it for discussion. Specifically, I'm looking to hear whether
there any any FreeIPA admins out there that have a strong opinion on
whether the DENY rules
On Thu, 2011-06-23 at 15:26 +0200, Pieter Baele wrote:
My new freeipa installation is working (server + kinit on a host where
I configured krb5.conf manually)
but ipa-client-install gives the typical Kerberos error:
kinit: Client not found in Kerberos database while getting initial
On Thu, 2011-06-23 at 21:17 +, Steven Jones wrote:
Hi,
looking at sssd enforcing the HBAC, is it possible to [easily] or even
possible to achieve the same thing with say openlap or 389?
Right now, the SSSD is making certain assumptions that the server
providing the HBAC rules is an IPA
On Tue, 2011-06-21 at 11:06 -0400, Dan Scott wrote:
Hi,
I'm still running a FreeIPA 1.2 server but have started installing
Fedora 15 clients and am trying to figure out how to manually setup
the Krb/LDAP configuration.
I've run the 'authconfig-tui' command and manually setup Krb
On Tue, 2011-06-21 at 11:31 -0400, Dan Scott wrote:
Hi,
On Tue, Jun 21, 2011 at 11:20, Stephen Gallagher sgall...@redhat.com wrote:
On Tue, 2011-06-21 at 11:06 -0400, Dan Scott wrote:
Hi,
I'm still running a FreeIPA 1.2 server but have started installing
Fedora 15 clients and am
On Tue, 2011-06-21 at 11:58 -0400, Dan Scott wrote:
On Tue, Jun 21, 2011 at 11:37, Stephen Gallagher sgall...@redhat.com wrote:
On Tue, 2011-06-21 at 11:31 -0400, Dan Scott wrote:
Hi,
On Tue, Jun 21, 2011 at 11:20, Stephen Gallagher sgall...@redhat.com
wrote:
On Tue, 2011-06-21
On Tue, 2011-06-21 at 14:41 -0400, Dan Scott wrote:
Excellent! Thanks - that makes much more sense. I've been using
authconfig-tui all this time and had no idea that it was doing things
incorrectly.
One small issue that I found, if I switch on the Use DNS to resolve
hosts to realms
On Mon, 2011-06-13 at 18:10 -0500, Stamper, Brian P. (ARC-D)[Logyx LLC]
wrote:
Not until I add 1.299 billion users :)
I think you've missed the point a little bit. The reason for the high
UIDs is to solve a problem that most people don't realize yet that they
have.
A VERY common situation is
On Sun, 2011-06-12 at 20:44 +, Steven Jones wrote:
If they ever make the bugtrak system useable, I will.
This is not a helpful response. Please file a bug at bugzilla.redhat.com
against either SSSD or pam_krb5 on the appropriate version of Fedora.
Please include the exact behavior you are
On Mon, 2011-06-13 at 17:29 +0200, Sigbjorn Lie wrote:
On 06/13/2011 04:41 PM, Ade Lee wrote:
Hi,
The replica installation is failing when the replica attempts to contact
the CA on the master to log into the security domain. According to your
log, this is https://ipa01.ix.test.com:9445
- Original Message -
From: Sigbjorn Lie sigbj...@nixtra.com
To: Stephen Gallagher sgall...@redhat.com
Cc: freeipa-users@redhat.com
Sent: Wednesday, May 11, 2011 1:51:54 PM
Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment
On Wed, May 11, 2011 14:42, Stephen Gallagher
a replica or move the FreeIPA
server) since you only have to update DNS instead of every client.
- --
Stephen Gallagher
RHCE 804006346421761
Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
http://www.redhat.com/promo/vendor/
-BEGIN PGP SIGNATURE-
Version
, ...
line of the [sssd] section are active.
We leave it in there to be a good citizen (in case it actually was
configured previously). That way we don't wipe out any settings that the
user may have had in it.
- --
Stephen Gallagher
RHCE 804006346421761
Delivering value year after year.
Red Hat ranks
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 04/04/2011 03:52 PM, Sigbjorn Lie wrote:
On 04/04/2011 09:36 PM, Stephen Gallagher wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 04/04/2011 03:06 PM, Dmitri Pal wrote:
On 04/04/2011 03:01 PM, Sigbjorn Lie wrote:
I also noticed
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 04/04/2011 04:20 PM, Sigbjorn Lie wrote:
On 04/04/2011 10:12 PM, Stephen Gallagher wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 04/04/2011 03:52 PM, Sigbjorn Lie wrote:
On 04/04/2011 09:36 PM, Stephen Gallagher wrote:
-BEGIN
'setenforce 0'. This will set SELinux into permissive
mode. It will still report SELinux errors, but it won't prevent the
functionality. Please keep an eye on any such errors and report them to us.
- --
Stephen Gallagher
RHCE 804006346421761
Delivering value year after year.
Red Hat ranks #1
in keytab
[default]
Well, here's your problem. The SSSD isn't starting up successfully
because you don't have a host principal for this server in your
/etc/krb5.keytab file. This was probably a bug in the ipa-client-install.
What does
klist -k /etc/krb5.keytab
return to you?
- --
Stephen
and are
enrolled with FreeIPA, then they can automatically update their DNS
entries by using the
ipa_dyndns_update = True
setting in sssd.conf
- --
Stephen Gallagher
RHCE 804006346421761
Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
http://www.redhat.com/promo/vendor
1 - 100 of 107 matches
Mail list logo