[Freeipa-users] Re: several IPA CA certificate entries

2017-10-24 Thread Florence Blanc-Renaud via FreeIPA-users
On 10/23/2017 08:59 PM, Bhavin Vaidya via FreeIPA-users wrote: Hello Rob, here what we have. Looks like /etc/http/alias certificate is different, as it is from Sug 03 2014 through Aug 03 2034, which is original date. If /etc/httpd/alias does not contain the latest IPA CA certificate,

[Freeipa-users] Re: Enrolling SLE 12 SP2 hosts with FreeIPA

2017-10-24 Thread Simo Sorce via FreeIPA-users
On Tue, 2017-10-24 at 16:23 +1300, Aaron Hicks via FreeIPA-users wrote: > Hello the FreeIPA List, > >   > > We've got a FreeIPA directory set up and running. That's all good. > >   > > The difficult part is that we also have a number (many) of SLE 12 SP2 > hosts > that need to be enrolled. >

[Freeipa-users] ipa sudorule-add-user SUDORULE-NAME doesn't support multiple groups

2017-10-24 Thread Alexandre Pitre via FreeIPA-users
Hi, I noticed that on FreeIPA 4.5.0 on CentOS I can't specify multiple groups with the sudorule-add-user command. Example: ipa sudorule-add-user sudorule --groups=group1,group2 Failed users/groups: member user: member group: group1,group2 - Number of members

[Freeipa-users] Re: cross-forest trust, client system cannot id AD users.

2017-10-24 Thread Steve Dainard via FreeIPA-users
Hi Jakub, As a follow up, you are correct - neither the primary group or wheel group that existed in AD needed to be created in IPA. Thanks On Fri, Oct 20, 2017 at 1:01 AM, Jakub Hrozek wrote: > On Thu, Oct 19, 2017 at 05:34:41PM -0700, Steve Dainard wrote: > > Thanks

[Freeipa-users] Re: ipa sudorule-add-user SUDORULE-NAME doesn't support multiple groups

2017-10-24 Thread Alexandre Pitre via FreeIPA-users
Would you look at that! Problem solved.Thanks. On Tue, Oct 24, 2017 at 12:08 PM, Rob Crittenden wrote: > Alexandre Pitre via FreeIPA-users wrote: > > Hi, > > > > I noticed that on FreeIPA 4.5.0 on CentOS I can't specify multiple > > groups with the sudorule-add-user

[Freeipa-users] Re: IPA CA allow CSR SAN names in external domains

2017-10-24 Thread Steve Dainard via FreeIPA-users
That did it, thanks Fraser. On Fri, Oct 20, 2017 at 5:48 PM, Fraser Tweedale wrote: > On Fri, Oct 20, 2017 at 10:59:36AM -0700, Steve Dainard via FreeIPA-users > wrote: > > Hello > > > > I have a RHEL7 IPA server installed as a subordinate CA. I'd like to be > > able to add

[Freeipa-users] Re: IPA cross-forest trust, retrieve additional ldap attributes for users

2017-10-24 Thread Alexander Bokovoy via FreeIPA-users
On ti, 24 loka 2017, Steve Dainard via FreeIPA-users wrote: Hello, I'm running a cross-forest trust with RHEL 7 IPA (60 day trial), when I do an ldapsearch on the AD user against the IPA server I get very few attributes. It seems like the sssd option 'ldap_user_extras_attrs' should fetch

[Freeipa-users] IPA cross-forest trust, retrieve additional ldap attributes for users

2017-10-24 Thread Steve Dainard via FreeIPA-users
Hello, I'm running a cross-forest trust with RHEL 7 IPA (60 day trial), when I do an ldapsearch on the AD user against the IPA server I get very few attributes. It seems like the sssd option 'ldap_user_extras_attrs' should fetch additional attributes but I can't seem to get any results. I'm also

[Freeipa-users] Re: ipa sudorule-add-user SUDORULE-NAME doesn't support multiple groups

2017-10-24 Thread Rob Crittenden via FreeIPA-users
Alexandre Pitre via FreeIPA-users wrote: > Hi, > > I noticed that on FreeIPA 4.5.0 on CentOS I can't specify multiple > groups with the sudorule-add-user command. > > Example: > > ipa sudorule-add-user sudorule --groups=group1,group2 > > Failed users/groups: > member user: > member

[Freeipa-users] Re: Latest updates broke pki-tomcatd

2017-10-24 Thread Kristian Petersen via FreeIPA-users
You mentioned that once before, but that path doesn't seem to exist on my server for some reason. When I go to /var/log/pki i get: -bash-4.2$ cd /var/log/pki/ -bash-4.2$ ls pki-server-upgrade-10.4.1.log pki-upgrade-10.4.1.log server In a previous reply, I ran a command you asked me to that

[Freeipa-users] Re: Latest updates broke pki-tomcatd

2017-10-24 Thread Rob Crittenden via FreeIPA-users
Kristian Petersen via FreeIPA-users wrote: > You mentioned that once before, but that path doesn't seem to exist on > my server for some reason. When I go to /var/log/pki i get: > -bash-4.2$ cd /var/log/pki/ > -bash-4.2$ ls > pki-server-upgrade-10.4.1.log pki-upgrade-10.4.1.log server > > In

[Freeipa-users] Re: Enrolling SLE 12 SP2 hosts with FreeIPA

2017-10-24 Thread Aaron Hicks via FreeIPA-users
Hi Simo, > Use ipa-getkeytab on an admin workstation, then securely transfer the keytab > to the servers. We have _many_ hosts in a cluster, so this is not practical on a per host basis. I single line command we could bulk execute on each of them to retrieve the key would be preferred.

[Freeipa-users] yum update caused FreeIPA to temporarily return NXDOMAIN for valid records

2017-10-24 Thread Nicholas Hinds via FreeIPA-users
During an upgrade from 4.5.0-21.el7.centos.1.2 to 4.5.0-21.el7.centos.2.2 on a CentOS 7.4 machine, FreeIPA's DNS server briefly returned NXDOMAIN for records which existed in FreeIPA. These invalid responses were returned for a very short amount of time, but caused long-running issues with Java

[Freeipa-users] Install replica

2017-10-24 Thread Oleg Danilovich via FreeIPA-users
Hello guys, I want deploy freeipa replica. Now my master works on Ubuntu 16.04. Master version VERSION: 4.3.1, API_VERSION: 2.164 Then i try to install replica on ubuntu i get error. I tried to find a solution but could not. I want try to install freeipa replica on centos. Can i use freeipa

[Freeipa-users] Re: IPA cross-forest trust, retrieve additional ldap attributes for users

2017-10-24 Thread Steve Dainard via FreeIPA-users
Hi Alexander, That makes sense, is there a simple method to test which ldap_user_extras_attrs sssd is pulling in on the IPA server side (are we actually pulling in these attributes), and then test from the client side dbus (list said attributes)? Thanks, Steve On Tue, Oct 24, 2017 at 9:30 AM,

[Freeipa-users] Re: Enrolling SLE 12 SP2 hosts with FreeIPA

2017-10-24 Thread Rob Crittenden via FreeIPA-users
Aaron Hicks via FreeIPA-users wrote: > Hi Simo, > >> Use ipa-getkeytab on an admin workstation, then securely transfer the keytab >> to the servers. > > We have _many_ hosts in a cluster, so this is not practical on a per host > basis. I single line command we could bulk execute on each of

[Freeipa-users] Re: IPA cross-forest trust, retrieve additional ldap attributes for users

2017-10-24 Thread Alexander Bokovoy via FreeIPA-users
On ti, 24 loka 2017, Steve Dainard wrote: Hi Alexander, That makes sense, is there a simple method to test which ldap_user_extras_attrs sssd is pulling in on the IPA server side (are we actually pulling in these attributes), and then test from the client side dbus (list said attributes)? See

[Freeipa-users] Re: Install replica

2017-10-24 Thread Rob Crittenden via FreeIPA-users
Oleg Danilovich via FreeIPA-users wrote: > Hello guys, > I want deploy freeipa replica. Now my master works on Ubuntu 16.04. > Master version VERSION: 4.3.1, API_VERSION: 2.164 > Then i try to install replica on ubuntu i get error. I tried to find a > solution but could not. It would help if

[Freeipa-users] Re: yum update caused FreeIPA to temporarily return NXDOMAIN for valid records

2017-10-24 Thread Rob Crittenden via FreeIPA-users
Nicholas Hinds via FreeIPA-users wrote: > During an upgrade from 4.5.0-21.el7.centos.1.2 > to 4.5.0-21.el7.centos.2.2 on a CentOS 7.4 machine, FreeIPA's DNS server > briefly returned NXDOMAIN for records which existed in FreeIPA. These > invalid responses were returned for a very short amount of