[Freeipa-users] Failed to initialize credentials using keytab

2012-07-10 Thread freeipa
Hi All, Server: RHEL 6.3 ipa-admintools-2.2.0-16.el6.x86_64 ipa-client-2.2.0-16.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch ipa-pki-common-theme-9.0.3-7.el6.noarch ipa-python-2.2.0-16.el6.x86_64 ipa-server-2.2.0-16.el6.x86_64 ipa-server-selinux-2.2.0-16.el6.x86_64

Re: [Freeipa-users] Failed to initialize credentials using keytab

2012-07-10 Thread Ondrej Valousek
does kinit -k host/sysvm-ipa.example@example.com work for you? On 07/10/2012 10:53 AM, free...@noboost.org wrote: Hi All, Server: RHEL 6.3 ipa-admintools-2.2.0-16.el6.x86_64 ipa-client-2.2.0-16.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch ipa-pki-common-theme-9.0.3-7.el6.noarch

[Freeipa-users] ipa samba win7

2012-07-10 Thread george he
Hello all, I have an ipa client that is also a file server. How do I set up a samba server on the file server so that the files can be accessed by a win7 machine, which is not a member of the ipa realm? Should I set the file server as a domain controller? How do I deal with the passdb backend

Re: [Freeipa-users] ipa samba win7

2012-07-10 Thread george he
Hi Ondrej, The win7 is standing alone. I don't have an AD for it. I used to have a samba domain controller that took care of user authentication for both linux and winxp machines. Thanks, George From: Ondrej Valousek ondr...@s3group.cz To:

Re: [Freeipa-users] ipa samba win7

2012-07-10 Thread Ondrej Valousek
Well, if you want to integrate Windows machines, you'd better to stick with Samba (you can try Samba 4 if you prefer the IPA-like integration). IPA itself looks and feels like AD but it is not compatible with AD - it is intended mainly for Linux machines. Ondrej On 07/10/2012 03:25 PM,

Re: [Freeipa-users] ipa samba win7

2012-07-10 Thread george he
Hi Simo, Could you advise how to add 1. thesamba samAccount objectclass to a user, and 2. the sambaGroups class to a group? I guess I would need to use ldap commands, which I don't know enough. By the way, do I need to add both of the above, or if everybody is allowed to use the samba share,

[Freeipa-users] sudo hostgroup sanity check, please?

2012-07-10 Thread KodaK
I'm running IPA 2.2.0 on RHEL6 Server: [root@validserver ~]# rpm -qa | grep ipa ipa-client-2.2.0-16.el6.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch libipa_hbac-python-1.8.0-32.el6.x86_64 ipa-python-2.2.0-16.el6.x86_64 ipa-server-2.2.0-16.el6.x86_64 ipa-server-selinux-2.2.0-16.el6.x86_64

Re: [Freeipa-users] sudo hostgroup sanity check, please?

2012-07-10 Thread KodaK
Further information: I do have: ldap_netgroup_search_base = cn=ng,cn=compat,dc=validdomain,dc=com In /etc/sssd/sssd.conf Is cn=ng,cn=compat correct? --Jason On Tue, Jul 10, 2012 at 2:15 PM, KodaK sako...@gmail.com wrote: I'm running IPA 2.2.0 on RHEL6 Server: [root@validserver ~]# rpm

[Freeipa-users] IPA + OpenAFS

2012-07-10 Thread Qing Chang
please forgive me if this is a question that has been answered somewhere already. I am almost finished setting up my first OpenAFS cell using IPA's KDC for authentication but stumble on this error: [root@smb1 ~]# fs setacl /afs system:anyuser rl fs: You don't have the required access rights on

Re: [Freeipa-users] sudo hostgroup sanity check, please?

2012-07-10 Thread Dmitri Pal
On 07/10/2012 03:15 PM, KodaK wrote: I'm running IPA 2.2.0 on RHEL6 Server: [root@validserver ~]# rpm -qa | grep ipa ipa-client-2.2.0-16.el6.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch libipa_hbac-python-1.8.0-32.el6.x86_64 ipa-python-2.2.0-16.el6.x86_64 ipa-server-2.2.0-16.el6.x86_64

Re: [Freeipa-users] sudo hostgroup sanity check, please?

2012-07-10 Thread Natxo Asenjo
On Tue, Jul 10, 2012 at 10:16 PM, KodaK sako...@gmail.com wrote: On Tue, Jul 10, 2012 at 2:56 PM, Dmitri Pal d...@redhat.com wrote: Do you see host netgroup coming over to the system when you enumerate netgroups? I don't know how to do this at the command line. I'm googling for it.

Re: [Freeipa-users] sudo hostgroup sanity check, please?

2012-07-10 Thread JR Aquino
On Jul 10, 2012, at 12:28 PM, KodaK wrote: Further information: I do have: ldap_netgroup_search_base = cn=ng,cn=compat,dc=validdomain,dc=com Go ahead and remove this line. Previous legacy versions of sssd required it. I believe it just gets in the way now. You also want to run: $

Re: [Freeipa-users] sudo hostgroup sanity check, please?

2012-07-10 Thread Nalin Dahyabhai
On Tue, Jul 10, 2012 at 02:15:41PM -0500, KodaK wrote: [snip] My sudo-ldap.conf file: binddn uid=sudo,cn=sysaccounts,cn=etc,dc=validserver,dc=com bindpw validpassword ssl start_tls tls_cacertfile /etc/ipa/ca.crt tls_checkpeer yes bind_timelimit 5 timelimit 15 uri