[Freeipa-users] NFS v4 integration how to

2012-12-07 Thread Petr Spacek
Hello list, I accidentally found following how-to: http://wiki.linux-nfs.org/wiki/index.php/NFS_and_FreeIPA Did somebody try it? Did it work? -- Petr^2 Spacek ___ Freeipa-users mailing list Freeipa-users@redhat.com

Re: [Freeipa-users] NFS v4 integration how to

2012-12-07 Thread Christian Horn
On Fri, Dec 07, 2012 at 01:02:01PM +0100, Petr Spacek wrote: I accidentally found following how-to: http://wiki.linux-nfs.org/wiki/index.php/NFS_and_FreeIPA Did somebody try it? Did it work? Looks good, althou I like the 'nfsroot' style of nfsv4. My notes are at

Re: [Freeipa-users] NFS v4 integration how to

2012-12-07 Thread Ondrej Valousek
Three notes: 1. /export *(rw,sec=krb5,no_subtree_check,no_root_squash) is better than /export gss/krb5(rw,no_subtree_check,no_root_squash) 2. Kerberos library is still too picky about reverse DNS records - i.e. if the reverse DNS does not match the principal name in keytab, you are most

Re: [Freeipa-users] FreeIpa 3.0.1 installation on Fedora 18

2012-12-07 Thread Maciej Sawicki
On Fri, Dec 7, 2012 at 12:57 AM, Dmitri Pal d...@redhat.com wrote: Do you have SELinux enabled? Any AVCs? it's disabled [maciek@freeipa ~]$ sudo sestatus [sudo] password for maciek: SELinux status: disabled best regards, Maciek ___

Re: [Freeipa-users] NFS v4 integration how to

2012-12-07 Thread Rob Crittenden
Ondrej Valousek wrote: Three notes: 1. /export *(rw,sec=krb5,no_subtree_check,no_root_squash) is better than /export gss/krb5(rw,no_subtree_check,no_root_squash) 2. Kerberos library is still too picky about reverse DNS records - i.e. if the reverse DNS does not match the principal name in

Re: [Freeipa-users] select users cannot sudo or login at the console

2012-12-07 Thread Rob Crittenden
Albert Adams wrote: Rob, There are no HBAC rules defined other than the default allow_all rule which has not been customized. It is a vanilla instal at this point. I have not added anything other than the replica, a few clients, one user group and the users to the system. Ok. I would update

Re: [Freeipa-users] NFS v4 integration how to

2012-12-07 Thread Simo Sorce
On Fri, 2012-12-07 at 13:40 +0100, Ondrej Valousek wrote: Three notes: 1. /export *(rw,sec=krb5,no_subtree_check,no_root_squash) is better than /export gss/krb5(rw,no_subtree_check,no_root_squash) It would be even better with root_squash imo :-) (as a default) 2. Kerberos library is

Re: [Freeipa-users] select users cannot sudo or login at the console

2012-12-07 Thread Jakub Hrozek
On Fri, Dec 07, 2012 at 09:33:22AM -0500, Rob Crittenden wrote: Albert Adams wrote: Rob, There are no HBAC rules defined other than the default allow_all rule which has not been customized. It is a vanilla instal at this point. I have not added anything other than the replica, a few

Re: [Freeipa-users] FreeIpa 3.0.1 installation on Fedora 18

2012-12-07 Thread Maciej Sawicki
enabling SELinux fixed the problem. thank you for help!. regards, Maciek On Fri, Dec 7, 2012 at 2:05 PM, Maciej Sawicki viroos...@gmail.com wrote: On Fri, Dec 7, 2012 at 12:57 AM, Dmitri Pal d...@redhat.com wrote: Do you have SELinux enabled? Any AVCs? it's disabled [maciek@freeipa ~]$

[Freeipa-users] Certificate serial number not found error

2012-12-07 Thread James Hogarth
Hi, When trying to view a particular service (or the related host) I'm getting the following error in the UI: IPA Error 4301 Certificate operation cannot be completed: EXCEPTION (Certificate serial number 0xffe000c not found) Now I've seen similar issue in the past when replication has played

Re: [Freeipa-users] select users cannot sudo or login at the console

2012-12-07 Thread Albert Adams
Jakub, Thanks for the reply. Please see the original post. I included a couple of snippets from /var/log/secure and pam_sss is being used. Albert On Fri, Dec 7, 2012 at 10:16 AM, freeipa-users-requ...@redhat.com wrote: select users cannot sudo or login at the console

Re: [Freeipa-users] error adding replica

2012-12-07 Thread Rob Crittenden
Natxo Asenjo wrote: On Mon, Dec 3, 2012 at 4:50 PM, Rob Crittenden rcrit...@redhat.com wrote: Natxo Asenjo wrote: hi, I have a 6.3 centos server that has been upgraded since 6.1. According to the ipaserver-install.log, I installed it on feb 3 2012 so it has been upgraded at least once. Now

Re: [Freeipa-users] sssd cache

2012-12-07 Thread Natxo Asenjo
On Wed, Dec 5, 2012 at 3:29 PM, Simo Sorce s...@redhat.com wrote: As a test to show why the cache is important do this: 1. Create a directory 2. create 100 files in this dirctory 3. chown each file to a different user and a different group each 4. stop sssd, wipe cache file and restart 5.

Re: [Freeipa-users] Cmd-line Unprovision OTP setting for a host

2012-12-07 Thread Charlie Derwent
Sorry for the extremely late reply, rebuilds of clients, keytab and configuration primarily but certs too would be nice. What we currently do during our provisioning process is disable the host and reset the password (as previously mentioned) during the kickstart setup process so the server can