[Freeipa-users] Group membership expiration

2017-07-26 Thread Prashant Bapat via FreeIPA-users
Hi FreeIPA Users, Is there a way to make the group membership have an optional expiration date. This expiration date can be set by the admin. Any pointers to how this can be implemented would be very helpful. Thanks. --Prashant ___ FreeIPA-users

[Freeipa-users] Re: AD trust setup woes

2017-07-26 Thread Jakub Hrozek via FreeIPA-users
On Tue, Jul 25, 2017 at 10:12:38AM -0400, Jason Hensley via FreeIPA-users wrote: > On Tue, Jul 25, 2017 at 2:29 AM, Jakub Hrozek via FreeIPA-users < > freeipa-users@lists.fedorahosted.org> wrote: > > > On Mon, Jul 24, 2017 at 04:25:14PM -0400, Jason Beck via FreeIPA-users > > wrote: > > > On Mon,

[Freeipa-users] Re: Password and OTP auth

2017-07-26 Thread Andrey Dudin via FreeIPA-users
Hello Christian. I think about it little bit more and suppose maybe it's not a bug, maybe it's security feature. For example: We have PROD host with OTP auth and user with enabled password and OTP auth. Some bad guy stole the user password, go to freeipa web interface, add new OTP token and go

[Freeipa-users] Re: OSX (El Capitan) - FreeIPA

2017-07-26 Thread Luiz Garrido ALKEMY X via FreeIPA-users
Our setup is really close to this how-to: http://www.freeipa.org/page/HowTo/Setup_FreeIPA_Services_for_Mac_OS_X_10.12 Just a little different because this didn't exist when we did the configuration. But even if you follow that, users on Mac are not getting IPA groups and without correct

[Freeipa-users] Re: Password and OTP auth

2017-07-26 Thread Christian Heimes via FreeIPA-users
On 2017-05-17 12:06, Andrey Dudin wrote: > Hello > > If I do ipa user-mod test --user-auth-type=password > --user-auth-type=otp I have user: > > [root@ipa-centos]# ipa user-show test > User login: test > First name: test > Last name: test > Home directory: /home/test > Login shell:

[Freeipa-users] Free IPA/LDAP migration

2017-07-26 Thread Ed Aiduc via FreeIPA-users
Hi! I'am a newbie here.. I just have a question with regards to LDAP. I have two free ipa server, one with ldap and the other one has no ldap on it, I wanted to transfer/migrate the ldap config from one server to another server with no ldap, is it possible? I'm searching the internet but can't

[Freeipa-users] Re: Krb5.conf only sees first two kdc servers

2017-07-26 Thread Sumit Bose via FreeIPA-users
On Wed, Jul 26, 2017 at 03:56:52AM +, pgb205 via FreeIPA-users wrote: > As far as I know krb5.conf does not have limitations on the number of KDCs > that can be listedhttps://web.mit.edu/kerberos/krb5-1krb5_conf.html > I have 3 servers that I would like to be read. I have no problem with

[Freeipa-users] Re: Free IPA/LDAP migration

2017-07-26 Thread Mon Corotan via FreeIPA-users
I apologize for the confusion. I am referring to 2 servers with two different domains. I will try your suggestion and get back for the result. Thanks for the response :) ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To

[Freeipa-users] Re: Free IPA/LDAP migration

2017-07-26 Thread Florence Blanc-Renaud via FreeIPA-users
On 07/26/2017 08:32 AM, Ed Aiduc via FreeIPA-users wrote: Hi! I'am a newbie here.. I just have a question with regards to LDAP. I have two free ipa server, one with ldap and the other one has no ldap on it, I wanted to transfer/migrate the ldap config from one server to another server with no

[Freeipa-users] Re: OSX (El Capitan) - FreeIPA

2017-07-26 Thread Jason Sherrill via FreeIPA-users
Luiz, Would you please run the below command from an OS X workstation's terminal to test look-up/caching of groups? If it displays a gid then we know the issue isn't LDAP mapping. dscacheutil -q group -a name *yourGroupName* On Tue, Jul 25, 2017 at 11:30 AM, Luiz Garrido ALKEMY X via

[Freeipa-users] Re: FreeIPA upgrade

2017-07-26 Thread Bhavin Vaidya via FreeIPA-users
Thanks Rob for pointing out that pki-tps-tomcat is not required. After taking a snapshot we remove the RPM and upgraded FreeIPA. We hit the bug 1436268 , so we removed the entry for server_id in /etc/named.conf and all worked out great.

[Freeipa-users] Re: ipa-replica-install hanging at `[29/44]: setting up initial replication`

2017-07-26 Thread John Morris via FreeIPA-users
The `IPA_SERVER_IP` failing to correct the A-record is issue #121: https://github.com/freeipa/freeipa-container/issues/121 That puts a neat little bow on all my questions in this email thread. :D Thanks- John On 07/24/2017 09:26 PM, John Morris via FreeIPA-users wrote: Never mind,

[Freeipa-users] Re: Krb5.conf only sees first two kdc servers

2017-07-26 Thread pgb205 via FreeIPA-users
Sumit, thank you very much for this. Very helpful, but I am still not seeing the problem So at first I will try with the following in krb5.confkdc=server1       <--shut off on the network#kdc=server2     <--shut off on the network and commented out in krb5.confkdc=server3      <--up and running

[Freeipa-users] Re: Krb5.conf only sees first two kdc servers

2017-07-26 Thread Michael Papet via FreeIPA-users
>If the _srv_ is enabled then am i correct in assuming that we wouldn't even >need kdc= records in krb5.conf ??>I tried removing kdc= linesand was unable to >authenticate. In my experience, sssd relies upon the local kerberos stack.  Maybe others have different experiences. mpapet