[Freeipa-users] Re: FreeIPA connection limits?

2017-12-11 Thread Sumit Bose via FreeIPA-users
On Mon, Dec 11, 2017 at 10:08:50AM +1300, Aaron Hicks via FreeIPA-users wrote: > Hello the list, > > > > We've got a number (hundreds) of hosts inside a private network, these all > query the FreeIPA server for user and group information using NAT and a > gateway server. > > > > However we'

[Freeipa-users] Re: One way trust between 2 different freeipa servers

2017-12-11 Thread Alexander Bokovoy via FreeIPA-users
On ma, 11 joulu 2017, Andrew Radygin via FreeIPA-users wrote: It's really interesting question, I'd like to know it too. 2017-12-11 5:38 GMT+03:00 Anvar Kuchkartaev via FreeIPA-users < freeipa-users@lists.fedorahosted.org>: Hello I would like to setup one way trust between 2 different freeipa

[Freeipa-users] Replication & Boot Errors

2017-12-11 Thread Callum Guy via FreeIPA-users
Hi All, I have been carrying out some routine maintenance on our IPA installation and following a reboot I am seeing a number of errors in the 389 logs. I am struggling to understand whether any of these errors and warnings are anything I should be concerned about and how might go about retifying

[Freeipa-users] sudo auth doesn't work on some hosts

2017-12-11 Thread Andrew Radygin via FreeIPA-users
Hello! I've got interesting problem, I have very simple hbac and sudo rules, one hbac for admins group and the same sudo rule for the same user group - all members of this group could do anything and everywhere. I cannot do sudo on some of machines, it's just doesn't accepting password, but initia

[Freeipa-users] Re: Unable to use externa groups or users, truster domain object not found

2017-12-11 Thread Henrik Johansson via FreeIPA-users
Hi again,I have generated debug, both in samba and in sssd and attached the log files. From what I can see from the sssd-logfile we are talkin to the AD domain but does not find any groups? The rest for the debug files are from the whole session including the trust-add. If you could have a quick lo

[Freeipa-users] Re: sudo auth doesn't work on some hosts

2017-12-11 Thread Andrew Radygin via FreeIPA-users
Ahhh, never mind. It seems that wrong time on that system broke sudo. Can anybody explain this? 2017-12-11 15:50 GMT+03:00 Andrew Radygin : > Hello! > > I've got interesting problem, > I have very simple hbac and sudo rules, one hbac for admins group and the > same sudo rule for the same user gro

[Freeipa-users] Re: Unable to use externa groups or users, truster domain object not found

2017-12-11 Thread Alexander Bokovoy via FreeIPA-users
On ma, 11 joulu 2017, Henrik Johansson via FreeIPA-users wrote: Hi again, I have generated debug, both in samba and in sssd and attached the log files. From what I can see from the sssd-logfile we are talkin to the AD domain but does not find any groups? The rest for the debug files are from t

[Freeipa-users] IPA 4.5 upgrade or clean install on CentOS/RHEL-7.4 has never worked for us (webUI fails) -- Latest guidance?

2017-12-11 Thread Chris Dagdigian via FreeIPA-users
Hi folks, Stuck in a catch-22 where I can't update our existing 4.4.0 production servers nor can we stand up new working sandbox servers running IPA-4.5 In all cases (upgrade and new install) we end up with a WebUI that is not functional when deployed on RHEL 7.4 or CentOS 7.4 However I thi

[Freeipa-users] Re: FreeIPA connection limits?

2017-12-11 Thread Aaron Hicks via FreeIPA-users
No, our FreeIPA instance is stand alone, but we’ll be implementing replication soon. Get Outlook for iOS From: Sumit Bose via FreeIPA-users Sent: Monday, December 11, 2017 9:06:53 PM To: freeipa-users@lists.fedorahosted.org Cc: Sumit Bose S

[Freeipa-users] Re: FreeIPA connection limits?

2017-12-11 Thread Aaron Hicks via FreeIPA-users
Hi Andrew, I’m afraid it’s often happening during the initial population if the cache. Also these host are all LDAP only and caching with nscd, as they only need user and group name resolution. This was done to minimise changes to their software image as they’re stateless/diskless hosts. Get O

[Freeipa-users] Re: FreeIPA connection limits?

2017-12-11 Thread Andrew Radygin via FreeIPA-users
So are you telling, your ds-389 isn't responding to simple ldapsearch for instance, even if there is no huge amount of logins to hosts? Just from refreshing cache on host clients? But if you doesn't have sssd (that do kernel-caching of privileges), therefore all your clients every time doing ldapse

[Freeipa-users] FreeIPA user sync to online services?

2017-12-11 Thread Dagan McGregor via FreeIPA-users
Hi all, My work is taking another look at options to enable user management with a number of third party online services. Primarily to use with AWS, Github, and Datadog. I have been looking at options such as the new AWS SSO product, OneLogin, Okta, etc Is anyone using FreeIPA with one of the

[Freeipa-users] Re: IPA 4.5 upgrade or clean install on CentOS/RHEL-7.4 has never worked for us (webUI fails) -- Latest guidance?

2017-12-11 Thread Alexander Bokovoy via FreeIPA-users
On ma, 11 joulu 2017, Chris Dagdigian via FreeIPA-users wrote: Hi folks, Stuck in a catch-22 where I can't update our existing 4.4.0 production servers nor can we stand up new working sandbox servers running IPA-4.5 In all cases (upgrade and new install) we end up with a WebUI that is not f

[Freeipa-users] Re: IPA 4.5 upgrade or clean install on CentOS/RHEL-7.4 has never worked for us (webUI fails) -- Latest guidance?

2017-12-11 Thread Dagan McGregor via FreeIPA-users
Hi, By default the web UI tries network authentication for users before the page displays. The GSS error below indicates that initial negotiation fails, so no pop-up window appears, and the UI doesn't load after that. Have you tried using different browsers? Have you also tried an install

[Freeipa-users] Re: FreeIPA connection limits?

2017-12-11 Thread Gordon Messmer via FreeIPA-users
On 12/10/2017 01:08 PM, Aaron Hicks via FreeIPA-users wrote: We’ve got a number (hundreds) of hosts inside a private network, these all query the FreeIPA server for user and group information using NAT and a gateway server. However we’re having issues with the LDAP queries timing out or bec

[Freeipa-users] Re: Unable to use externa groups or users, truster domain object not found

2017-12-11 Thread Henrik Johansson via FreeIPA-users
> On 11 Dec 2017, at 16:04, Alexander Bokovoy via FreeIPA-users > wrote: > > On ma, 11 joulu 2017, Henrik Johansson via FreeIPA-users wrote: >> Hi again, >> >> I have generated debug, both in samba and in sssd and attached the log >> files. From what I can see from the sssd-logfile we are ta

[Freeipa-users] Re: Unable to use externa groups or users, truster domain object not found

2017-12-11 Thread Alexander Bokovoy via FreeIPA-users
On ma, 11 joulu 2017, Henrik Johansson via FreeIPA-users wrote: On 11 Dec 2017, at 16:04, Alexander Bokovoy via FreeIPA-users wrote: On ma, 11 joulu 2017, Henrik Johansson via FreeIPA-users wrote: Hi again, I have generated debug, both in samba and in sssd and attached the log files. Fro

[Freeipa-users] Re: FreeIPA connection limits?

2017-12-11 Thread Aaron Hicks via FreeIPA-users
Hi Andrew, Single operations are fine. From the command line names resolve quickly, especially once cached, ldapsearch and other commands work when properly authenticated. When the hosts behind the NAT process a job, it starts a burst of activity and initiating a large number of LDAP con

[Freeipa-users] Re: FreeIPA connection limits?

2017-12-11 Thread Gordon Messmer via FreeIPA-users
On 12/11/2017 01:46 PM, Aaron Hicks via FreeIPA-users wrote: When the hosts behind the NAT process a job, it starts a burst of activity and initiating a large number of LDAP connections (multiple connections per host, about a hundred hosts) That seems like a relatively small number of connecti