Re: [Freeipa-users] How can I change my password from a python script?

2012-06-29 Thread Martin Kosek
On Thu, 2012-06-28 at 16:42 -0700, Joe Linoff wrote: Hi Petr: I implemented what you suggested and everything worked pretty well but I ran into three issues that you might be able to help me with. ISSUE #1 The first issue (and the most important) is that the password is only temporary. I

Re: [Freeipa-users] How can I change my password from a python script?

2012-06-29 Thread Joe Linoff
Hi Martin: Thank you. This is very helpful. I am going to try the group functions tomorrow morning (PST). Regards, Joe -Original Message- From: Martin Kosek [mailto:mko...@redhat.com] Sent: Friday, June 29, 2012 12:07 AM To: Joe Linoff Cc: Petr Vobornik; freeipa-users@redhat.com

Re: [Freeipa-users] How can I change my password from a python script?

2012-06-29 Thread Alexander Bokovoy
On Fri, 29 Jun 2012, Martin Kosek wrote: On Thu, 2012-06-28 at 16:42 -0700, Joe Linoff wrote: Hi Petr: I implemented what you suggested and everything worked pretty well but I ran into three issues that you might be able to help me with. ISSUE #1 The first issue (and the most important) is

Re: [Freeipa-users] How can I change my password from a python script?

2012-06-29 Thread Martin Kosek
IMHO, 2.1.3 - 2.2 upgrade should be safe, although I don't know if something was changed in CentOS compared to RHEL where this should just work. Btw there is one thing I just realized, you will probably have to go with Alexander's approach as the password expiration backend is available in GIT in

Re: [Freeipa-users] How can I change my password from a python script?

2012-06-29 Thread Joe Linoff
you will probably have to go with Alexander's approach as the password expiration backend is available in GIT in master branch only, i.e. in future IPA 3.0. Will do. Thanks. Joe -Original Message- From: Martin Kosek [mailto:mko...@redhat.com] Sent: Friday, June 29, 2012 12:38 AM

Re: [Freeipa-users] How can I change my password from a python script?

2012-06-29 Thread Alexander Bokovoy
On Fri, 29 Jun 2012, Joe Linoff wrote: Hi Alexander: Thank you. I appreciate the feedback. Is it safe to upgrade to 2.2 on a CentOS 6.2 system? I used 2.1.3 because it was in the rpm distribution. I haven't used CentOS 6.2 so I cannot suggest anything on this front. -- / Alexander Bokovoy

[Freeipa-users] kdc on the internet

2012-06-29 Thread Natxo Asenjo
hi, Is it 'safe' to use ipa on the internet? My feeling is its, I mean, kerberos is meant for untrusted networks. What are your thoughts about this? What ports should of the kdc *not* be accessible? -- Groeten, natxo ___ Freeipa-users mailing list

[Freeipa-users] replica failed to uninstall cleanly

2012-06-29 Thread David Spångberg
Hello I have a problem similar to the problem George He talked about last week in this mailing list: - http://article.gmane.org/gmane.linux.redhat.freeipa.user/4895 Basically I have a ipa master running and wanted to setup a replica. However the CA installation step failed and the

Re: [Freeipa-users] UID 999, not possible?

2012-06-29 Thread Alexander Bokovoy
On Thu, 28 Jun 2012, sysad...@noboost.org wrote: Hi All, Is there a weird restriction to UID 999 in ipa, as IPA keeps changing the UID when I add a user with that number? (I've already checked the UID isn't in use) We use 999 as a marker for DNA plugin. UID/GID 999 is replaced by an allocated

[Freeipa-users] pam_systemd(sshd:session): Failed to create session

2012-06-29 Thread george he
Hello all, I'm running out of time to figure out what was wrong with my replica set up, so I just went ahead and installed ipa-client on that machine. It seems the client was installed all right, except when I ssh to the new client from another client, I get this: Could not chdir to home

Re: [Freeipa-users] pam_systemd(sshd:session): Failed to create session

2012-06-29 Thread Dan Scott
Hi, I don't know if this is done by the default IPA install, but you need to configure it to auto create home directories: authconfig --update --enablemkhomedir You may need the oddjob-mkhomedir package installed too. Thanks, Dan On Fri, Jun 29, 2012 at 9:42 AM, george he

Re: [Freeipa-users] UID 999, not possible?

2012-06-29 Thread Alexander Bokovoy
On Fri, 29 Jun 2012, Petr Viktorin wrote: On 06/29/2012 03:04 PM, Alexander Bokovoy wrote: On Thu, 28 Jun 2012, sysad...@noboost.org wrote: Hi All, Is there a weird restriction to UID 999 in ipa, as IPA keeps changing the UID when I add a user with that number? (I've already checked the UID

Re: [Freeipa-users] pam_systemd(sshd:session): Failed to create session

2012-06-29 Thread george he
Hello Dan, Many thanks. It worked. Now I remember this was done by default on my other clients... don't know why. George From: Dan Scott danieljamessc...@gmail.com To: george he george_...@yahoo.com Cc: freeipa-users@redhat.com freeipa-users@redhat.com Sent:

Re: [Freeipa-users] UID 999, not possible?

2012-06-29 Thread Petr Viktorin
On 06/29/2012 03:55 PM, Alexander Bokovoy wrote: On Fri, 29 Jun 2012, Petr Viktorin wrote: On 06/29/2012 03:04 PM, Alexander Bokovoy wrote: On Thu, 28 Jun 2012, sysad...@noboost.org wrote: Hi All, Is there a weird restriction to UID 999 in ipa, as IPA keeps changing the UID when I add a user

Re: [Freeipa-users] nfs server

2012-06-29 Thread Simo Sorce
On Fri, 2012-06-29 at 07:18 -0700, george he wrote: Hello all, Now I have an ipa server and a few ipa clients set up, I need to set up an nfs server on one of the ipa-clients. I'm following the instructions here

Re: [Freeipa-users] nfs server

2012-06-29 Thread george he
Hello Simo, So you mean I should run ipa-getkeytab -s my.ipaserver.edu -p nfs/my.nfsserve@myrealm.edu -k /tmp/krb5.keytab on the ipa-server, and ipa-getkeytab -s my.ipaserver.edu -p nfs/my.nfsserve@myrealm.edu-k my.ipaserver.edu:/tmp/krb5.keytab on the nfs-server? where

Re: [Freeipa-users] nfs server

2012-06-29 Thread Simo Sorce
On Fri, 2012-06-29 at 07:45 -0700, george he wrote: Hello Simo, So you mean I should run ipa-getkeytab -s my.ipaserver.edu -p nfs/my.nfsserve@myrealm.edu -k /tmp/krb5.keytab on the ipa-server, and You should run the command only once (running more than once will simply

Re: [Freeipa-users] nfs server

2012-06-29 Thread Rob Crittenden
george he wrote: Hello Simo, So you mean I should run ipa-getkeytab -s my.ipaserver.edu -p nfs/my.nfsserve@myrealm.edu -k /tmp/krb5.keytab on the ipa-server, and ipa-getkeytab -s my.ipaserver.edu -p nfs/my.nfsserve@myrealm.edu-k my.ipaserver.edu:/tmp/krb5.keytab on the nfs-server?

Re: [Freeipa-users] replica failed to uninstall cleanly

2012-06-29 Thread Rob Crittenden
David Spångberg wrote: Hello I have a problem similar to the problem George He talked about last week in this mailing list: - http://article.gmane.org/gmane.linux.redhat.freeipa.user/4895 Basically I have a ipa master running and wanted to setup a replica. However the CA installation step

Re: [Freeipa-users] How can I change my password from a python script?

2012-06-29 Thread Joe Linoff
Hi Rob: This is so only the end-user knows the password. That makes good sense. Your suggestions will help me in my test environment. Thanks, Joe -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: Friday, June 29, 2012 8:07 AM To: Joe Linoff Cc: Petr

[Freeipa-users] rpcgssd

2012-06-29 Thread george he
Hello all, Is there a problem with this document: https://docs.fedoraproject.org/en-US/Fedora/16/html/FreeIPA_Guide/kerb-nfs.html It says Start the GSS daemon. [root@nfs-client-server ~]# service rpcgssd start but when I do it, the nfs-client says Failed to issue method call: Unit

Re: [Freeipa-users] rpcgssd

2012-06-29 Thread Rob Crittenden
george he wrote: Hello all, Is there a problem with this document: https://docs.fedoraproject.org/en-US/Fedora/16/html/FreeIPA_Guide/kerb-nfs.html It says Start the GSS daemon. [root@nfs-client-server ~]# service rpcgssd start but when I do it, the nfs-client says Failed to issue method

Re: [Freeipa-users] rpcgssd

2012-06-29 Thread george he
Hello Rob, It is fedora 17. I did systemctl start nfs-secure.service on the nfs-server. No error message. What needs to be started on the nfs-client in order to mount the share (which is on a separate disk, if it matters). I tried mount -v -t nfs4 -o sec=krb5 mynfsserver.edu:/data /mnt/nfs/ on

Re: [Freeipa-users] nfs server

2012-06-29 Thread Simo Sorce
On Fri, 2012-06-29 at 08:08 -0700, george he wrote: Hello, do you mean to run only this on the nfs-server? ipa-getkeytab -s my.ipaserver.edu -p nfs/my.nfsserve@myrealm.edu -k /etc/krb5.keytab Rob says to run ipa-getkeytab on each machine... So I guess I should run the above

Re: [Freeipa-users] rpcgssd

2012-06-29 Thread george he
Hello all, nfs-secure.service is running on the client, but I still get mount.nfs4: mount(2): Permission denied and there's no message in /var/log/. Any help? Thanks, George From: george he george_...@yahoo.com To: Rob Crittenden rcrit...@redhat.com Cc:

[Freeipa-users] nfs4 acl

2012-06-29 Thread Natxo Asenjo
hi, I followed the instructions here http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/kerb-nfs.htmland they worked flawlessly. Is it possible to use acls on nfs4 with a rhel 6 nfs server? if that is not possible, is it possible to use a netapp file as

Re: [Freeipa-users] FreeIPA webserver cert expired.

2012-06-29 Thread Paul Tader
On 6/11/12 9:16 AM, Paul Tader wrote: On 6/5/12 2:33 PM, Rob Crittenden wrote: JR Aquino wrote: On Jun 5, 2012, at 11:18 AM, Paul Tader wrote: A couple days ago my (apache) certificates expired. Users are able to kinit but tools such as sudo fail because of the expired certificates. Lots of

Re: [Freeipa-users] FreeIPA webserver cert expired.

2012-06-29 Thread Rob Crittenden
Paul Tader wrote: On 6/11/12 9:16 AM, Paul Tader wrote: On 6/5/12 2:33 PM, Rob Crittenden wrote: JR Aquino wrote: On Jun 5, 2012, at 11:18 AM, Paul Tader wrote: A couple days ago my (apache) certificates expired. Users are able to kinit but tools such as sudo fail because of the expired

[Freeipa-users] Authentication failure when a reset the password

2012-06-29 Thread Joe Linoff
Hi Everybody. I ran into a strange problem today: I reset a user password in the GUI to Test1234 for testing but when I tried to login as that user and enter the password, I got an authentication error. Does anyone know why this might be occurring or how I can debug it? Here are some

Re: [Freeipa-users] Authentication failure when a reset the password

2012-06-29 Thread Stephen Ingram
On Fri, Jun 29, 2012 at 6:11 PM, Joe Linoff jlin...@tabula.com wrote: Hi Everybody. I ran into a strange problem today: I reset a user password in the GUI to “Test1234” for testing but when I tried to login as that user and enter the password, I got an authentication error. Does anyone know