[Freeipa-users] logging

2017-08-11 Thread Andrew Meyer via FreeIPA-users
If I want to keep track of DNS changes in FreeIPA, is there  a way to do this?___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] FreeIPA and Foreman

2017-07-25 Thread Andrew Meyer via FreeIPA-users
So I just installed foreman on my puppet and ansible instance and got it working.  After I installed it and got it working.  I joined the server to the my FreeIPA domain.   I now get the following error whenever I try to restart apache. By the way this is CentOS 7 latest.  Has any one else run

[Freeipa-users] Re: [Freeipa-users]FreeIPA and TACACS+

2017-06-12 Thread Andrew Meyer via FreeIPA-users
Haven't gotten that far yet.  Want to set it up. On Friday, June 9, 2017 6:08 PM, Jake via FreeIPA-users wrote: it's a pam module and works the same as others, if you are using hbac you'll need to create a service for the module

[Freeipa-users] Re: [Freeipa-users]FreeIPA and TACACS+

2017-06-09 Thread Andrew Meyer via FreeIPA-users
Trying to set it up.. Going to try this weekend if I have time otherwise next week. Sent from Yahoo Mail on Android On Fri, Jun 9, 2017 at 15:51, Jake wrote: it's a pam module and works the same as others, if you are using hbac you'll need to create a service

[Freeipa-users] Re: [Freeipa-users]FreeIPA and TACACS+

2017-06-12 Thread Andrew Meyer via FreeIPA-users
So this post is having me compile the pam_tacacs.  Do I still need to do that if I am using shrubbery.net TACACS+? On Monday, June 12, 2017 10:15 AM, Andrew Meyer via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote: Haven't gotten that far yet.  Want to set

[Freeipa-users] Re: [Freeipa-users]FreeIPA and TACACS+

2017-06-12 Thread Andrew Meyer via FreeIPA-users
reeIPA-users <freeipa-users@lists.fedorahosted.org> wrote: So this post is having me compile the pam_tacacs.  Do I still need to do that if I am using shrubbery.net TACACS+? On Monday, June 12, 2017 10:15 AM, Andrew Meyer via FreeIPA-users <freeipa-users@lists.fedorahosted.org>

[Freeipa-users] Re: [Freeipa-users]FreeIPA and TACACS+

2017-06-12 Thread Andrew Meyer via FreeIPA-users
DAP Joshua D Doll On June 12, 2017 12:12:53 PM EDT, Andrew Meyer via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote: So this post is having me compile the pam_tacacs.  Do I still need to do that if I am using shrubbery.net TACACS+? On Monday, June 12, 2017 10:15 AM, Andrew

[Freeipa-users] FreeIPA and TACACS+

2017-06-09 Thread Andrew Meyer via FreeIPA-users
Has anyone gotten FreeIPA and TACACS+ from shrubbery.net working?___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: [Freeipa-users]FreeIPA and TACACS+

2017-06-13 Thread Andrew Meyer via FreeIPA-users
Another question, how hard would it be to separate the this setup?  FreeIPA on one server and TACACS+ from shrubbery on another? On Monday, June 12, 2017 3:34 PM, Andrew Meyer via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote: Correct.  So I would skip the

[Freeipa-users] Re: planning for migration

2017-10-09 Thread Andrew Meyer via FreeIPA-users
essary otherwise. Gabriel On 10/9/2017 9:24, Andrew Meyer via FreeIPA-users wrote: I'm heading down that route as well.  But I would like to have both options available to the boss. I'm not sure if my syntax is incorrect.  That's where I need help. On Monday, October 9, 2017, 11

[Freeipa-users] planning for migration

2017-10-09 Thread Andrew Meyer via FreeIPA-users
Hello,I am planning to migrate from a OpenLDAP installation to FreeIPA. I have been following the directions and matching it to several blog posts about this however I am coming up with errors.   [user@infra-test-ipa ~]$ ipa migrate-ds --user-container=users --group-container=group

[Freeipa-users] Re: planning for migration

2017-10-09 Thread Andrew Meyer via FreeIPA-users
wrote: Honestly, we simply built a new IPA configuration rather than try to migrate.  It's been far easier to move clients over by ripping the OpenLDAP off and installing IPA-client than mucking with a conversion. On 10/09/2017 11:50 AM, Andrew Meyer via FreeIPA-users wrote: > Hello, > I

[Freeipa-users] Re: planning for migration

2017-10-09 Thread Andrew Meyer via FreeIPA-users
Gabriel,When I run the ipa -v migrate-ds I need to put in my OpenLDAP manager password, correct? Not my FreeIPA admin credentials. Thank you, On Monday, October 9, 2017, 12:33:53 PM CDT, Andrew Meyer via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote: Thank y

[Freeipa-users] Re: planning for migration

2017-10-09 Thread Andrew Meyer via FreeIPA-users
~]$ On Monday, October 9, 2017, 4:10:21 PM CDT, Andrew Meyer via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote: Gabriel,When I run the ipa -v migrate-ds I need to put in my OpenLDAP manager password, correct? Not my FreeIPA admin credentials. Thank you, On Monday, O

[Freeipa-users] new servers not creating DNS entries

2017-10-18 Thread Andrew Meyer via FreeIPA-users
I am running the latest version of FreeIPA on CentOS 7.  I am testing adding servers to the domain.  I am using a tld for the FreeIPA domain, not that it would matter.  However when I join a server to the domain it is failing on adding the DNS entries for the server.   I'm seeing the following

[Freeipa-users] RADIUS and FreeIPA

2017-11-14 Thread Andrew Meyer via FreeIPA-users
After all the emails (thank you for your help) I have most of my Mac OS X clients authenticating to FreeIPA over wireless.  Clients running on a 2014 or newer 10.12.5 and up won't work.  I suspect this has to do with the TLS version.   Tell me if I'm approaching this the right way. I am trying

[Freeipa-users] Re: FreeIPA & wireless

2017-11-14 Thread Andrew Meyer via FreeIPA-users
rossChx 614.427.2411mike.plemm...@crosschx.com www.crosschx.com On Fri, Nov 10, 2017 at 11:07 AM, Andrew Meyer via FreeIPA-users <freeipa-users@lists. fedorahosted.org> wrote: So I was wondering if anyone has FreeIPA setup to do authentication with wireless.   We have an ArubaNetworks platform setu

[Freeipa-users] Re: freeipa sudoers help

2017-11-27 Thread Andrew Meyer via FreeIPA-users
8:33 AM, Andrew Meyer via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote: I will check this out and get back to you.  thank you. On Friday, November 10, 2017 8:04 AM, Aaron Cole via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote: In IPA the Cmnd_Al

[Freeipa-users] adding new client server and dns failing

2017-12-04 Thread Andrew Meyer via FreeIPA-users
When I add a new server to FreeIPA, and it fails to add DNS, is there a way to go back and rerun a script to add all the records needed? ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to

[Freeipa-users] Re: adding services to freeipa

2017-11-16 Thread Andrew Meyer via FreeIPA-users
I guess I could fix this by putting a host entry in the /etc/hosts file? On Wednesday, November 15, 2017 11:11 PM, Rob Crittenden via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote: Andrew Meyer via FreeIPA-users wrote: > When I try to add puppet i am getting the

[Freeipa-users] Re: sudoers issues

2017-11-10 Thread Andrew Meyer via FreeIPA-users
Yes, This is exactly what I did.  However something is weird and the policy is not being activated...maybe its a priority thing? On Friday, November 10, 2017 7:17 AM, Aaron Cole via FreeIPA-users wrote: Did you try the command as defined in the

[Freeipa-users] FreeIPA & wireless

2017-11-10 Thread Andrew Meyer via FreeIPA-users
So I was wondering if anyone has FreeIPA setup to do authentication with wireless.  We have an ArubaNetworks platform setup to do EAP-PEAP only communicating back to the current OpenLDAP system, but would like to migrate to FreeIPA.   I was able to set this up using Meraki MR18s but I have to

[Freeipa-users] Re: sudoers issues

2017-11-10 Thread Andrew Meyer via FreeIPA-users
I have not done that yet.  I will do that though. On Friday, November 10, 2017 1:54 PM, Aaron Cole via FreeIPA-users wrote: did you try to setup a new rule with run the user group allowed to run on defined hosts, all commands, as those particular

[Freeipa-users] Re: FreeIPA and 802.1x with wireless

2017-11-13 Thread Andrew Meyer via FreeIPA-users
Also,Is FreeIPA using TLS 1.2? On Monday, November 13, 2017 1:46 PM, Andrew Meyer via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote: Is anyone doing authentication with wireless using FreeIPA?  IF so are you using RADIUS?  What wireless equipment are you using?  Has

[Freeipa-users] FreeIPA and 802.1x with wireless

2017-11-13 Thread Andrew Meyer via FreeIPA-users
Is anyone doing authentication with wireless using FreeIPA?  IF so are you using RADIUS?  What wireless equipment are you using?  Has anyone auth'ed straight to LDAP?  I am trying to set this up with Aruba Networks using MacBook Pro running MacOS X 10.11, 10.12, and 10.13 and having minimal

[Freeipa-users] Re: FreeIPA & wireless

2017-11-14 Thread Andrew Meyer via FreeIPA-users
the FreeIPA server in order for the proper security features to work.   We do not have SSL certs on our machine. Mike Plemmons | Senior DevOps Engineer | CrossChx 614.427.2411mike.plemm...@crosschx.com www.crosschx.com On Fri, Nov 10, 2017 at 11:07 AM, Andrew Meyer via FreeIPA-users &l

[Freeipa-users] Re: adding service

2017-11-20 Thread Andrew Meyer via FreeIPA-users
, Rob Crittenden <rcrit...@redhat.com> wrote: Robbie Harwood via FreeIPA-users wrote: > Andrew Meyer via FreeIPA-users <freeipa-users@lists.fedorahosted.org> > writes: > >> [root@asm-rancid02 keytabs]# ipa-getkeytab -s >> asm-rancid02.mgt.asm.borg.local. -p radiu

[Freeipa-users] Re: adding service

2017-11-20 Thread Andrew Meyer via FreeIPA-users
mailto:andrew.meyer@asm-rancid02> ~]$ > > What host is your IPA server? You used asm-dns01.meyer.local for the > LDAP test and asm-rancid02.mgt.asm.borg.local for ipa-getkeytab. > > rob > >> >> >> >> On Monday, November 20, 2017 4:42 PM, Ro

[Freeipa-users] Re: adding service

2017-11-20 Thread Andrew Meyer via FreeIPA-users
Not connecting to the FreeIPA server? On Monday, November 20, 2017 4:36 PM, Robbie Harwood via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote: Andrew Meyer via FreeIPA-users <freeipa-users@lists.fedorahosted.org> writes: > [root@asm-rancid02 keytabs]# i

[Freeipa-users] Re: adding service

2017-11-20 Thread Andrew Meyer via FreeIPA-users
: Robbie Harwood via FreeIPA-users wrote: > Andrew Meyer via FreeIPA-users <freeipa-users@lists.fedorahosted.org> > writes: > >> [root@asm-rancid02 keytabs]# ipa-getkeytab -s >> asm-rancid02.mgt.asm.borg.local. -p radius/asm-rancid02.mgt.asm.borg.local >> -k /e

[Freeipa-users] Re: adding service

2017-11-20 Thread Andrew Meyer via FreeIPA-users
est and asm-rancid02.mgt.asm.borg.local for ipa-getkeytab. rob > > > > On Monday, November 20, 2017 4:42 PM, Rob Crittenden > <rcrit...@redhat.com> wrote: > > > Robbie Harwood via FreeIPA-users wrote: > >> Andrew Meyer via FreeIPA-users <freeipa-users@lis

[Freeipa-users] adding service

2017-11-20 Thread Andrew Meyer via FreeIPA-users
So i'm trying to add FreeRADIUS as a service to my IPA setup.  I"ve added the service using --force and i'm trying to get the keytab for it but getting the following error: [root@asm-rancid02 keytabs]# ipa-getkeytab -s asm-rancid02.mgt.asm.borg.local. -p radius/asm-rancid02.mgt.asm.borg.local

[Freeipa-users] Re: adding service

2017-11-20 Thread Andrew Meyer via FreeIPA-users
. Thank you, On Monday, November 20, 2017 5:54 PM, Andrew Meyer via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote: My apologies.  asm-dns01.meyer.local is my FreeIPA master. On Monday, November 20, 2017 5:46 PM, Rob Crittenden via FreeIPA-users <free

[Freeipa-users] adding puppet to FreeIPA

2017-11-20 Thread Andrew Meyer via FreeIPA-users
Ok now I am trying to add puppet to my FreeIPA environment.  Following the instructions from:  https://www.freeipa.org/page/Howto/Using_FreeIPA_CA_for_Puppet I am getting the following error: [root@asm-automation01 ~]# ipa service-add puppetmaster/asm-automation01.mgt.asm.borg.localipa: ERROR:

[Freeipa-users] Re: adding puppet to FreeIPA

2017-11-21 Thread Andrew Meyer via FreeIPA-users
Excellent, Thank you for the help. On Tuesday, November 21, 2017 3:01 PM, Rob Crittenden via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote: Andrew Meyer via FreeIPA-users wrote: > Ok now I am trying to add puppet to my FreeIPA environment.  Following > the

[Freeipa-users] adding services to freeipa

2017-11-15 Thread Andrew Meyer via FreeIPA-users
When I try to add puppet i am getting the following error: [andrew.meyer@asm-automation01 ~]$ ipa service-add puppetmaster/asm-automation01.mgt.asm.borg.localipa: ERROR: Host 'asm-automation01.mgt.asm.borg.local' does not have corresponding DNS A/ record[andrew.meyer@asm-automation01 ~]$ I

[Freeipa-users] Re: FreeIPA & wireless

2017-11-15 Thread Andrew Meyer via FreeIPA-users
ri, Nov 10, 2017 at 11:07 AM, Andrew Meyer via FreeIPA-users <freeipa-users@lists. fedorahosted.org> wrote: So I was wondering if anyone has FreeIPA setup to do authentication with wireless.   We have an ArubaNetworks platform setup to do EAP-PEAP only communicating back to the cu

[Freeipa-users] Re: FreeIPA & wireless

2017-11-13 Thread Andrew Meyer via FreeIPA-users
.plemm...@crosschx.com www.crosschx.com On Fri, Nov 10, 2017 at 11:07 AM, Andrew Meyer via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote: So I was wondering if anyone has FreeIPA setup to do authentication with wireless.   We have an ArubaNetworks platform setup to do E

[Freeipa-users] Re: freeipa sudoers help

2017-11-10 Thread Andrew Meyer via FreeIPA-users
I will check this out and get back to you.  thank you. On Friday, November 10, 2017 8:04 AM, Aaron Cole via FreeIPA-users wrote: In IPA the Cmnd_Alias is more like the sudo command group. Basically you have 2 options on how you want to input sudo

[Freeipa-users] Re: mysql and freeipa

2017-11-01 Thread Andrew Meyer via FreeIPA-users
Thank you for the feedback. On Wednesday, November 1, 2017 3:26 PM, Gordon Messmer via FreeIPA-users wrote: On 11/01/2017 09:46 AM, Robbie Harwood wrote: None of that is particularly relevant unless you're specifically supporting MSCHAPv2

[Freeipa-users] adding new server to freeipa

2017-11-03 Thread Andrew Meyer via FreeIPA-users
If I have a server that is in a subdomain of my tld for FreeIPA and I want it to get added into that specific zone during the client install process, the installer errors out and says that it will only recognize 1 FreeIPA server and failover to the other will not be possible.  Is there some way

[Freeipa-users] Re: adding new server to freeipa

2017-11-03 Thread Andrew Meyer via FreeIPA-users
i'm going to be adding a new machine next week.  I'll get screenshots/text output for you.   On Friday, November 3, 2017 1:54 PM, Rob Crittenden via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote: Andrew Meyer via FreeIPA-users wrote: > If I have

[Freeipa-users] freeipa sudoers help

2017-11-02 Thread Andrew Meyer via FreeIPA-users
In preparation for a migration I am trying to setup sudoers within freeipa.  I have about a dozen people that will need to sudo to another user and run commands.  However I want to add all the commands for that user into my rule. would this be best practice to add ALL the commands into 1 rule? 

[Freeipa-users] Re: libsss-sudo

2017-11-02 Thread Andrew Meyer via FreeIPA-users
Please disregard. On Thursday, November 2, 2017 2:26 PM, Andrew Meyer via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote: When installing FreeIPA (latest) on CentOS 7.  If I want to take advantage of IPA sudoers, I need that package correct?  Should it not be installe

[Freeipa-users] Re: freeipa sudoers help

2017-11-02 Thread Andrew Meyer via FreeIPA-users
ers@lists.fedorahosted.org> wrote: Andrew Meyer via FreeIPA-users wrote: > In preparation for a migration I am trying to setup sudoers within > freeipa.  I have about a dozen people that will need to sudo to another > user and run commands.  However I want to add all the commands for that >

[Freeipa-users] libsss-sudo

2017-11-02 Thread Andrew Meyer via FreeIPA-users
When installing FreeIPA (latest) on CentOS 7.  If I want to take advantage of IPA sudoers, I need that package correct?  Should it not be installed when I install freeipa server/client? Just wondering.___ FreeIPA-users mailing list --

[Freeipa-users] Re: sudoers issues

2017-11-09 Thread Andrew Meyer via FreeIPA-users
This is all new territory for me.  If you have any ideas, thank you in advance. On Thursday, November 9, 2017 1:47 AM, Jakub Hrozek via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote: On Thu, Nov 09, 2017 at 02:07:03AM +, Andrew Meyer via FreeIPA-users wrote:

[Freeipa-users] Re: sudoers issues

2017-11-09 Thread Andrew Meyer via FreeIPA-users
things. If you’re using sudo in more complex ways and the requirements change a lot, then having the whole thing in IPA would certainly be a win. On Nov 9, 2017, at 8:48 AM, Andrew Meyer via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote: Ok so I did that and the rules are comi

[Freeipa-users] Re: ldap cache

2017-11-09 Thread Andrew Meyer via FreeIPA-users
1:43 AM, Jakub Hrozek via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote: On Wed, Nov 08, 2017 at 03:52:57PM +, Andrew Meyer via FreeIPA-users wrote: > Let's say I have a user that starts today and I forgot to add their > username to FreeIPA.  I add their username a

[Freeipa-users] ldap cache

2017-11-08 Thread Andrew Meyer via FreeIPA-users
Let's say I have a user that starts today and I forgot to add their username to FreeIPA.  I add their username and they need to start working fairly quickly.  I know that I can clear the sudo cache on each server with sss_cache -E but is there a way to do this w/ ldap/kerberos queries to have

[Freeipa-users] Re: FreeIPA sudoers

2017-11-08 Thread Andrew Meyer via FreeIPA-users
OK now I need help w/ another aspect of sudo.  I need to setup a rule so taht certain users in a group can su - someuser, or sudo su - someuser. I'm having difficulty researching this.  Can anyone shed light on this? On Wednesday, November 8, 2017 2:57 PM, Andrew Meyer via FreeIPA-users

[Freeipa-users] Re: FreeIPA sudoers

2017-11-08 Thread Andrew Meyer via FreeIPA-users
Nm.  I fixed it. On Wednesday, November 8, 2017 2:28 PM, Andrew Meyer via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote: so looking at the logs it find a rule: (Wed Nov  8 14:23:29 2017) [sssd[sudo]] [sudosrv_cached_rules_by_user] (0x0400): Replacing sudoUser att

[Freeipa-users] Re: FreeIPA sudoers

2017-11-08 Thread Andrew Meyer via FreeIPA-users
ucture NHK International E-mail: patrick.gr...@nhkusa.com Office #: 248 308 5624 - Original Message - From: "Andrew Meyer via FreeIPA-users" <freeipa-users@lists.fedorahosted.org> To: "Andrew Meyer" <andrewm...@yahoo.com>, "FreeIPA users list"

[Freeipa-users] FreeIPA sudoers

2017-11-08 Thread Andrew Meyer via FreeIPA-users
Hello, i'm having some trouble getting sudoers to work.   I have 5 machines joined to the FreeIPA domain and I have a user group called ops and ops_sudoers.  Both have permission to full sudo.   [andrew.meyer@jira02 ~]$ ipa sudorule-find ALL---1 Sudo Rule

[Freeipa-users] Re: FreeIPA sudoers

2017-11-08 Thread Andrew Meyer via FreeIPA-users
sers <freeipa-users@lists.fedorahosted.org> wrote: Andrew Meyer via FreeIPA-users wrote: > Hello, i'm having some trouble getting sudoers to work.  > > I have 5 machines joined to the FreeIPA domain and I have a user group > called ops and ops_sudoers.  Both have p

[Freeipa-users] sudoers issues

2017-11-08 Thread Andrew Meyer via FreeIPA-users
Hello, I am trying to setup a few of my users to have the ability to su - jira or another user using FreeIPA. Here is what happens when I am logged in as the user and try to su - jira [user1@jira02 ~]$ sudo su - process[sudo] password for user1:Sorry, user user1 is not allowed to execute

[Freeipa-users] Re: openvpn authenticating to freeipa

2017-12-06 Thread Andrew Meyer via FreeIPA-users
success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so That may help. Mike Plemmons | Senior DevOps Engineer | CrossChx 614.427.2411 mike.plemm...@crosschx.com www.crosschx.com On Wed, Dec 6, 2017 at 3:13 PM,

[Freeipa-users] openvpn authenticating to freeipa

2017-12-06 Thread Andrew Meyer via FreeIPA-users
Hello, I am trying to configure my openvpn setup to authenticate against FreeIPA. I have OpenVPN configured and is accepting connections. The package for ldap_auth is installed and configured. However I have tried to setup anonymous ldap lookups and authenticated ldap lookups and neither

[Freeipa-users] Re: openvpn authenticating to freeipa

2017-12-06 Thread Andrew Meyer via FreeIPA-users
so That may help. Mike Plemmons | Senior DevOps Engineer | CrossChx 614.427.2411 mike.plemm...@crosschx.com www.crosschx.com On Wed, Dec 6, 2017 at 3:13 PM, Andrew Meyer via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote: Hello, >I am trying to configure my openvpn setup to a

[Freeipa-users] mysql and freeipa

2017-10-31 Thread Andrew Meyer via FreeIPA-users
I am trying to research how to setup MySQL/MariaDB to authenticate against FreeIPA/LDAP.  I am running into some issues/confusion. Do I need to add a new user account to tie mysql to? I've been following this website:FreeIPA: Giving permissions to service accounts. — Firstyear's blog-a-log |

[Freeipa-users] Re: adding users to other user groups

2018-05-14 Thread Andrew Meyer via FreeIPA-users
Ok.  I will check this out. Thank you! On Monday, May 14, 2018 10:59 AM, Alexander Bokovoy via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote: On ma, 14 touko 2018, Andrew Meyer via FreeIPA-users wrote: >Hello,I am trying to add a new user to another group.  T

[Freeipa-users] adding users to other user groups

2018-05-14 Thread Andrew Meyer via FreeIPA-users
Hello,I am trying to add a new user to another group.  This group was setup for another user.  When I create the user is seems to do the same thing as when I create them on a local system.  I get a User and a group for the user as well.  However when I go to add another user to that newly

[Freeipa-users] clients-per-query

2018-04-27 Thread Andrew Meyer via FreeIPA-users
So in my logs on I am getting the following: -23-Apr-2018 01:25:20.041 clients-per-query decreased to 14 I have not seen this on any other DNS server I have come across. IS this normal fro FreeIPA? Can the limits be increased by default?___

[Freeipa-users] A record discrepency

2018-05-11 Thread Andrew Meyer via FreeIPA-users
On one of my FreeIPA servers I have an A record that points to the correct IP in the web ui, but when I go look at the raw file in /var/named/dyndb-ldap/ipa/master/zone.net/raw it is incorrect.  I have done a kinit admin, and then ipa-replica-manage re-initialize --from

[Freeipa-users] Re: A record discrepency

2018-05-11 Thread Andrew Meyer via FreeIPA-users
/named/dyndb-ldap/ipa/master/zone.net/ and try to cat the raw file and its not there...  I did a ipa-replica-manage re-initialize thinking that would bring it over and it didn't.   BTW,This is CentOS 7.4 and FreeIPA 4.5.x. Thank you! On Friday, May 11, 2018 8:27 AM, Andrew Meyer via FreeIPA

[Freeipa-users] Re: ipsilon

2018-05-22 Thread Andrew Meyer via FreeIPA-users
What about on CentOS 7? On Tuesday, May 22, 2018 5:08 AM, Jan Pazdziora via FreeIPA-users wrote: On Thu, May 17, 2018 at 10:53:13PM +0300, Alexander Bokovoy via FreeIPA-users wrote: > On to, 17 touko 2018, Andrew Meyer wrote: > > So I followed the

[Freeipa-users] authoritative name-server

2018-05-17 Thread Andrew Meyer via FreeIPA-users
In my current freeipa setup when I go in to the dns zone I see the authoritative name server is incorrect.  When I removed the server shouldn't it have changed it? Also when I go look at the bind config in /var/named/dyndb-ldap/master/example.net/raw the SOA line shows the correct server. 

[Freeipa-users] ipsilon

2018-05-17 Thread Andrew Meyer via FreeIPA-users
Has anyone installed this on their prod FreeIPA installation?  I need to hook FreeIPA into some other auth systems that don't support LDAP.___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to

[Freeipa-users] Re: ipsilon

2018-05-17 Thread Andrew Meyer via FreeIPA-users
-dev.example.local/idp/login/gssapi/negotiate?ipsilon_transaction_id=94fe5ec3-1608-4977-840a-8b186f4eee28 On Thursday, May 17, 2018 2:25 PM, Alexander Bokovoy via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote: On to, 17 touko 2018, Andrew Meyer via FreeIPA-users wrote: >H

[Freeipa-users] auth to pther providers still using freeipa

2018-05-16 Thread Andrew Meyer via FreeIPA-users
My company is wanting to use FreeIPA for everything.  However we also utilize other external services that have their own auth system but can support oauth, or gsuite/facebook etc etc.  Is this possible w/ FreeIPA? Also,Searching through google I found this - Ipsilon.  Would you recommend I use

[Freeipa-users] keycloak

2018-06-07 Thread Andrew Meyer via FreeIPA-users
what is the difference between keycloak and freeipa? Is there a free version of this?  Is that what ipsilon is?  If not is there a repo for this?___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to

[Freeipa-users] Re: keycloak

2018-06-07 Thread Andrew Meyer via FreeIPA-users
Thanks for the clarification! On Thursday, June 7, 2018 2:32 PM, Jochen Hein via FreeIPA-users wrote: Rob Crittenden via FreeIPA-users writes: > I don't know where Keycloak upstream is. Look at http://www.keycloak.org Jochen -- This space is intentionally left blank.

[Freeipa-users] ipsilon

2018-06-06 Thread Andrew Meyer via FreeIPA-users
Not sure if this is the right place for support w/ ipsilon.  But I got it installed and I'm able to browse the to website and login now.  However when I go to the login stack there are some button to the right of the login plugins, and they say that's it.  What does that mean?  Also I've

[Freeipa-users] multiple sub-domains

2017-10-19 Thread Andrew Meyer via FreeIPA-users
I am running into an issue deploying FreeIPA.  I am converting from OpenLDAP.  However I have multiple sub-domain under my tld. So let's say I own example.com I have multiple zones under that where I have servers sitting.  All of these sub-domains are specific to VLANs as well.

[Freeipa-users] Re: web administration on secondary node

2018-01-30 Thread Andrew Meyer via FreeIPA-users
Please ignore.  This is an issue w/ my proxy. On Tuesday, January 30, 2018 10:01 AM, Andrew Meyer via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote: I was just checking the web admin on my secondary node (still in testing phase) but it won't resolve at all.  I'm no

[Freeipa-users] web administration on secondary node

2018-01-30 Thread Andrew Meyer via FreeIPA-users
I was just checking the web admin on my secondary node (still in testing phase) but it won't resolve at all. I'm not sure why. These are the only errors I have from the Apache logs: [Tue Jan 30 09:49:54.429727 2018] [mpm_prefork:notice] [pid 3637] AH00170: caught SIGWINCH, shutting down

[Freeipa-users] Re: FreeIPA replica in AWS

2018-02-08 Thread Andrew Meyer via FreeIPA-users
ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR    The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information On Thursday, February 8, 2018 8:01 AM, Andrew Meyer via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote: Thank you, I al

[Freeipa-users] Re: FreeIPA replica in AWS

2018-02-08 Thread Andrew Meyer via FreeIPA-users
That's what I thought.  Thank you for confirming that! On Thursday, February 8, 2018 11:26 AM, Rob Crittenden via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote: Andrew Meyer via FreeIPA-users wrote: > Ok, I got further this time.  Now I am getting this error: >

[Freeipa-users] Re: FreeIPA replica in AWS

2018-02-08 Thread Andrew Meyer via FreeIPA-users
:32:57Z DEBUG request body ''  On Thursday, February 8, 2018 11:29 AM, Andrew Meyer via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote: That's what I thought.  Thank you for confirming that! On Thursday, February 8, 2018 11:26 AM, Rob Crittenden via FreeIPA

[Freeipa-users] FreeIPA replica in AWS

2018-02-07 Thread Andrew Meyer via FreeIPA-users
I just got FreeIPA added as a client and then I tried to promote it as a replica. I got the following error: Done configuring kadmin. Configuring directory server (dirsrv) [1/3]: configuring TLS for DS instance [error] RuntimeError: Certificate issuance failed (CA_REJECTED) Your system may be

[Freeipa-users] FreeIPA in EC2

2018-02-07 Thread Andrew Meyer via FreeIPA-users
We are trying to deploy FreeIPA in our environment, this will be a mix of local servers and server to manage auth in EC2. We have a vpn tunnel setup and are able to communicate across it. Ina Amazon Linux 2 instance I was able to get FreeIPA installed as a client and am now trying to promote

[Freeipa-users] resolvers

2018-02-12 Thread Andrew Meyer via FreeIPA-users
If I don't have global resolver FreeIPA will fallback to using what is in /etc/resolv.conf, correct?___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] DNS forward zones

2018-02-12 Thread Andrew Meyer via FreeIPA-users
Is it possible to have DNS forward zones only exist on servers in a specific location?___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] deploying freeipa

2018-02-12 Thread Andrew Meyer via FreeIPA-users
I know I have sent in multiple emails, but we are trying to deploy FreeIPA correctly.  However I am getting asked to find out some other details.   Can FreeIPA survive w/o DNS?  We would like to implement FreeIPA and still be able to use the SSH, sudo, selinux, LDAP & krb5.   We are moving to

[Freeipa-users] Re: deploying freeipa

2018-02-13 Thread Andrew Meyer via FreeIPA-users
users. And it's perfectly fine, especially if you already have another instrument for dns managing. I haven't experienced any problems from such setup so far. 2018-02-13 17:10 GMT+03:00 Andrew Meyer via FreeIPA-users <freeipa-users@lists.fedorahosted.org>: Fish the entries?  Can you elaborate o

[Freeipa-users] Re: deploying freeipa

2018-02-13 Thread Andrew Meyer via FreeIPA-users
2:58 AM, Alex Corcoles via FreeIPA-users ><freeipa-users@lists.fedorahosted.org> wrote: > > > You can, but you need to add the DNS entries that FreeIPA adds to its domain > to your DNS server. > >What I did was install FreeIPA in a test environment and fish the entri

[Freeipa-users] Re: deploying freeipa

2018-02-13 Thread Andrew Meyer via FreeIPA-users
org> wrote: You can, but you need to add the DNS entries that FreeIPA adds to its domain to your DNS server. What I did was install FreeIPA in a test environment and fish the entries from there. On Tue, Feb 13, 2018 at 4:37 AM, Andrew Meyer via FreeIPA-users <freeipa-users@lists.fedorah

[Freeipa-users] Re: FreeIPA replica in AWS

2018-02-09 Thread Andrew Meyer via FreeIPA-users
EBUG SUCCESS: port: 8080 > 2018-02-08T20:32:54Z DEBUG waiting for port: 8443 > 2018-02-08T20:32:54Z DEBUG Failed to connect to port 8443 tcp on 127.0.0.1 > 2018-02-08T20:32:57Z DEBUG SUCCESS: port: 8443 > 2018-02-08T20:32:57Z DEBUG Waiting until the CA is running > 2018-02-08T

[Freeipa-users] errors when adding a new server

2018-02-19 Thread Andrew Meyer via FreeIPA-users
So I rebuilt a server tonight and gave it a new hostname but i'm getting the following error when trying to add the new one.  Skip ipa.domain.local: cannot verify if this is an IPA server Provide your IPA server name (ex: ipa.example.com): ipa.domain.local Skip ipa.domain.local: cannot verify

[Freeipa-users] Re: errors when adding a new server

2018-02-20 Thread Andrew Meyer via FreeIPA-users
Sorry,I am running the ipa-client-install script and its not auto finding the FreeIPA server. On Tuesday, February 20, 2018 1:00 PM, Rob Crittenden via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote: Andrew Meyer via FreeIPA-users wrote: > So I rebuilt a serve

[Freeipa-users] dns migration

2018-02-16 Thread Andrew Meyer via FreeIPA-users
While getting my company setup to use FreeIPA and migrate from the old BIND DNS I have setup a forward zone on our nameservers to point exmaple.net to my FreeIPA servers.   When I try to do a query from the main DNS resolvers I get the following:client 10.1.0.66#61548: view internal: query:

[Freeipa-users] DNS forwarder policies

2018-02-21 Thread Andrew Meyer via FreeIPA-users
Is there a way to specify a policy for 1 zone to be on 1 server or on a set of servers in 1 location? ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: api scripts

2017-12-26 Thread Andrew Meyer via FreeIPA-users
Jens,I'm not familiar w/ Python.  How do I pass the url, user and realm to it?  Do I do something like this - './freeipaclient.py url=myurl user=username' ? Thank you! On Thursday, December 21, 2017 2:40 PM, Andrew Meyer via FreeIPA-users <freeipa-users@lists.fedorahosted.org>

[Freeipa-users] freeipa in amazon

2017-12-28 Thread Andrew Meyer via FreeIPA-users
My company is looking to migrate a lot of our stuff to amazon and shut down what we have in the data-centers.  However there was no plan to migrate the ldap system we have.   I have since suggested that we look into FreeIPA.  This is well liked but my boss wants to use Route53 for split horizon

[Freeipa-users] api scripts

2017-12-20 Thread Andrew Meyer via FreeIPA-users
Does anyone have any examples or could share what they have written? I am trying to write a script and not sure what components I need.  ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to

[Freeipa-users] Re: api scripts

2017-12-21 Thread Andrew Meyer via FreeIPA-users
Thank you On Thursday, December 21, 2017 4:31 AM, Jens Timmerman via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote: Hi Andrew, On 20/12/2017 22:42, Andrew Meyer via FreeIPA-users wrote: > Does anyone have any examples or could share what they have written? > &

[Freeipa-users] Re: api scripts

2017-12-21 Thread Andrew Meyer via FreeIPA-users
Does this script prompt you to enter the data needed or do I need to hard code it? On Thursday, December 21, 2017 10:50 AM, Andrew Meyer via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote: Thank you On Thursday, December 21, 2017 4:31 AM, Jens Timmerman via F

[Freeipa-users] DNS records erroring when entering main zone

2018-02-26 Thread Andrew Meyer via FreeIPA-users
A while back when I created my FreeIPA servers I added locations to them.  I then added 1 more server and removed it for testing purposes.  However now when I go into my main zone I am seeing the following errors: Some operations failed.Hide details -

[Freeipa-users] DNS issues

2018-08-02 Thread Andrew Meyer via FreeIPA-users
So I've had my FreeIPA setup for about 6 months now at my company.  As of recently i'm seeing some issues where if I try to dig against the servers I get nothing back.  I do not have a global forwarder setup because it should automatically go outbound if its not in its own table, correct? This

[Freeipa-users] DNS Forwarders

2018-08-02 Thread Andrew Meyer via FreeIPA-users
Is it possible to have a per server zone forwarder in /etc/named.conf and NOT break replication?___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code

  1   2   >